sfp does not work, please advise

H

hoanv9

Active Member
Apr 15, 2020
47
6
28
44
Hi,
Today my email system have a lot of fake email, the user send email to himself and here is the log in proxmox
I am not sure why there are not spf check in the log event i checked Use SPF
Thanks.

Dec 22 13:30:05 proxmox2 postfix/smtpd[18199]: connect from unknown[221.157.187.72]
Dec 22 13:30:06 proxmox2 postfix/smtpd[18199]: 0FF26381459: client=unknown[221.157.187.72]
Dec 22 13:30:06 proxmox2 postfix/cleanup[15742]: 0FF26381459: message-id=<5FE210D5.1030908@mydomain.com>
Dec 22 13:30:06 proxmox2 postfix/qmgr[1156]: 0FF26381459: from=<useremail@mydomain.com>, size=12307, nrcpt=1 (queue active)
Dec 22 13:30:06 proxmox2 pmg-smtp-filter[19011]: 38060B5FE1926E64106: new mail message-id=<5FE210D5.1030908@mydomain.com>#012
Dec 22 13:30:06 proxmox2 postfix/smtpd[18199]: disconnect from unknown[221.157.187.72] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec 22 13:30:15 proxmox2 pmg-smtp-filter[19011]: 38060B5FE1926E64106: SA score=6/5 time=9.371 bayes=0.19 autolearn=no autolearn_force=no hits=BAYES_20(-0.001),BITCOIN_SPAM_02(1.381),DATE_IN_FUTURE_06_12(1.947),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),NO_FM_NAME_IP_HOSTN(1.569),PDS_BTC_ID(0.499),RCVD_IN_XBL(0.375),RDNS_NONE(0.793),T_SPF_TEMPERROR(0.01)
Dec 22 13:30:15 proxmox2 postfix/smtpd[13882]: connect from localhost.localdomain[127.0.0.1]
Dec 22 13:30:15 proxmox2 postfix/smtpd[13882]: C6A8A380212: client=localhost.localdomain[127.0.0.1], orig_client=unknown[221.157.187.72]
Dec 22 13:30:15 proxmox2 postfix/cleanup[14524]: C6A8A380212: message-id=<5FE210D5.1030908@mydomain.com>
Dec 22 13:30:15 proxmox2 postfix/qmgr[1156]: C6A8A380212: from=<useremail@mydomain.com>, size=13258, nrcpt=1 (queue active)
Dec 22 13:30:15 proxmox2 postfix/smtpd[13882]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Dec 22 13:30:15 proxmox2 pmg-smtp-filter[19011]: 38060B5FE1926E64106: accept mail to <useremail@mydomain.com> (C6A8A380212) (rule: Whitelist)
Dec 22 13:30:15 proxmox2 pmg-smtp-filter[19011]: 38060B5FE1926E64106: processing time: 9.455 seconds (9.371, 0.012, 0)
Dec 22 13:30:15 proxmox2 postfix/lmtp[17496]: 0FF26381459: to=<useremail@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=9.8, delays=0.34/0/0/9.5, dsn=2.5.0, status=sent (250 2.5.0 OK (38060B5FE1926E64106))
Dec 22 13:30:15 proxmox2 postfix/qmgr[1156]: 0FF26381459: removed
Dec 22 13:30:15 proxmox2 postfix/smtp[19087]: C6A8A380212: to=<useremail@mydomain.com>, relay=192.168.110.27[192.168.110.27]:25, delay=0.09, delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Dec 22 13:30:15 proxmox2 postfix/qmgr[1156]: C6A8A380212: removed
 
Last edited:
hoanv9 said:
I am not sure why there are not spf check in the log event i checked Use SPF
Click to expand...
have you setup spf for your domain? - please share the SPF txt-record for mydomain.com

else does DNS work on your PMG installation? - T_SPF_TEMPERROR might indicate a problem with your DNS configuration

finally the message got quite a high spamassassin score: 6 - you could consider dropping such mails in the rule-system

I hope this helps!
 
  • Like
Reactions: hoanv9
I found the the problem with the architecture. Now I nat the Promox to internet with port 25, relay to internal server with trusted IP.
The problem is any one from outside can telnet to the proxmox with port 25, send the email without authentication. How can I stop it?
 
hoanv9 said:
The problem is any one from outside can telnet to the proxmox with port 25, send the email without authentication. How can I stop it?
Click to expand...
The external port of PMG should be available on the public internet (via NAT or directly) - else you cannot receive mail for your domains and relaying them to your internal IP?!
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment

If you want to relay outbound mail (from a trusted internal system to the internet) - the mail needs to be delivered to the internal port of PMG (default port 26)

Authentication is not used in PMG (and SMTP from the outside world does not use authentication)

I hope this explains it!
 
Stoiko Ivanov said:
The external port of PMG should be available on the public internet (via NAT or directly) - else you cannot receive mail for your domains and relaying them to your internal IP?!
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment

If you want to relay outbound mail (from a trusted internal system to the internet) - the mail needs to be delivered to the internal port of PMG (default port 26)

Authentication is not used in PMG (and SMTP from the outside world does not use authentication)

I hope this explains it!
Click to expand...
Thx so much.
My system use Proxmox as mailgateway (receive email only, no need to send email). Now I found that the attacker telnet to port 25 of Promox and send email without authentication. Can we stop that?
 
hoanv9 said:
Now I found that the attacker telnet to port 25 of Promox and send email without authentication.
Click to expand...
If you want to receive mail from the internet - then this is ok - SMTP does work via port 25, without authentication

just make sure that you expose the external port of PMG, and that you have correctly configured your relay domains and trusted networks
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom