Problem with efa as an open relay

[cryptz]

So i just redeployed this a few days ago on centos 8. This is the first time i encountered this issue and I have been using efa for about 4 years. I am sure my relay settings have not changed. I am curious though on what could be causing this.

Basically the logs say mail received from localhost, and then the public foreign ip is listed.

my mail relay settings permit 3 internal host names (which have their ips in the /etc/hosts file) and then the internal ip of my mail server. From the logs it doesnt look like efa thinks the messages are being sent by anything in my relay list.

the only thought i had was perhaps the dns lookups are failing and things are incorrectly being associated with the fqdns i entered? what would be the suggested way to troubleshoot this? at the moment i have the appliance off to stop the outbound spam its sending.

[cryptz]

here is an example of a message, of note it lists them as an authenticated sender. I am not sure what mechanism that would be the case. it is the system admin email, is there some bug there where they can simply specifiy that from email and the system allows it? Otherwise i am not sure what mechanism is in place to authenticate them as an authorized sender..

Received: from localhost ([23.129.64.185] [23.129.64.185])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(no client certificate requested) (Authenticated sender: cryptz)
by SMTP.Cryptz.com (MailScanner Milter) with SMTP id 4CLQKk4QWPzGtGrV;
Tue, 27 Oct 2020 17:47:40 -0400 (EDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 SMTP.Cryptz.com 4CLQKk4QWPzGtGrV
Authentication-Results: SMTP.Cryptz.com; dmarc=none (p=none dis=none) header.from=cryptz.com
Authentication-Results: SMTP.Cryptz.com; spf=fail smtp.mailfrom=cryptz@cryptz.com
DKIM-Filter: OpenDKIM Filter v2.11.0 SMTP.Cryptz.com 4CLQKk4QWPzGtGrV
MIME-Version: 1.0
Date: Tue, 27 Oct 2020 22:47:30 +0100
Message-ID: <96D457DDDB56CC678050DE2393BDC2AEAA918B1A@unknown>
Content-Type: multipart/mixed; boundary="------------050604040102010007030507"
X-Priority: 3 (Normal)
From: "Lady Olgusya" <cryptz@cryptz.com>
To: grosch_manuel@web.de
Subject: Hi my friend

[cryptz]

So i wanted to test and make sure I wasnt an open relay, i performed the following from a machine on my network, but outside of the trusted subnet:

220 SMTP.Cryptz.com ESMTP Postfix
helo me
250 SMTP.Cryptz.com
mail from:cryptz@cryptz.com
250 2.1.0 Ok
rcpt to:cryptz@weeee.com
554 5.7.1 <cryptz@weeee.com>: Relay access denied

auth login
503 5.5.1 Error: authentication not enabled

So im curious how is the example email i provided with a source of 23.129.64.185 state its authenticated as cryptz ?

[shawniverson]

Your system appears to be locally compromised.

[cryptz]

shawn, can you elaborate -- i get what you are implying but it doesnt seem to be the case that the mail is being sent from the local box, i see the remote ip etc.. i just set this up and not sure what would really be wrong with it.

one thing to mention is when i installed centos i created a local user (not root) and i did make that same username the web login. typically i havent done that in the past.

i am in the process of setting the box back up, but what exactly can i look for on the local system?

what exactly does the authenticated sender indicate in this case? how would one go about authing that account if smtp auth isnt enabled?

[cryptz]

i set the box back up from scratch (again previous system was only setup for about 3 days). The web user is unique and does not have a local account. Is there anyway that was somehow the issue? All creds are unique so i will let you know.

I would like to have a better understanding of the auth in the example email i provided though. Can you let me know what that might imply?

[pdwalker]

I'm just looking over the mail headers, and from what I can see, somebody from 23.129.64.18 was able to use your server (SMTP.Cryptz.com / 24.229.7.147) and authenticate as user cryptz.

So, did your machine have a user called "cryptz" on your system? Was the password compromised? That'd be my guess.

Anyway, without access to the relevant logs, it'll be hard to work out what actually happened.

[cryptz]

yes there was a local user with that name, but only smtp was open to the box and like i showed in my screen shot smtp auth was disabled so im trying to figure out what authentication methods were even possible.

[pdwalker]

without having access to your box at the time it was compromised, it's very hard to guess.

Keep your local user accounts to a minimum.

Use strong passwords

Implement "fail2ban" to protect your login accounts.