From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Mon Oct 01 2007 - 16:17:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Oct 01, 2007 at 11:11:54PM +0200, Eddy Ilg wrote:

> Hi,
>
> our mailserver is filling it's queue with mails that it should not
> accept. E.g.:
> sender: staton.77128yahoo.com.jp
> recipient: jensenchms34.hinet.net

The vast majority of similar cases are HTTP feedback forms, or other
insecure CGI scripts. Logs reveal how the email enters your system.

> Received: by mail.dextermedia.net (Postfix, from userid 1001)
> id 082E98062CC; Sat, 29 Sep 2007 14:37:42 +0200 (CEST)

This message arrived via a local submission from user "1001", not
via SMTP. Likely this is a web-server application account.

To plug the leak while you look more closely:

        authorized_submit_users = !login1001, static:all

where "login1001" is the login name in /etc/passwd that goes with
uid 1001.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]