Sicherheitsluecke, spam Moeglichkeit in postfix/dovecot ?

Christoph P.U. Kukulies kuku at kukulies.org
Di Okt 13 09:48:20 CEST 2015 

Mein Server (postfix/dovecot)
root@/var/log# dpkg --list | grep dov
ii  dovecot-core 1:2.2.9-1ubuntu2.1                   i386         
secure POP3/IMAP server - core files
ii  dovecot-imapd 1:2.2.9-1ubuntu2.1                   i386         
secure POP3/IMAP server - IMAP daemon
ii  dovecot-lmtpd 1:2.2.9-1ubuntu2.1                   i386         
secure POP3/IMAP server - LMTP server
ii  dovecot-mysql 1:2.2.9-1ubuntu2.1                   i386         
secure POP3/IMAP server - MySQL support

ii  postfix 2.11.0-1ubuntu1                      i386         
High-performance mail transport agent
ii  postfix-mysql 2.11.0-1ubuntu1                      i386         
MySQL map support for Postfix

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"

wurde gestern blackgelistet bei abusix.com.

Mein mail.log zeigt Folgendes:

Oct 11 14:18:29 myserver postfix/smtpd[28438]: connect to subsystem 
public/cleanup
Oct 11 14:18:29 myserver postfix/smtpd[28438]: public/cleanup socket: 
wanted attribute: queue_id
Oct 11 14:18:29 myserver postfix/smtpd[28438]: input attribute name: 
queue_id
Oct 11 14:18:29 myserver postfix/smtpd[28438]: input attribute value: 
72A291AC2BB
Oct 11 14:18:29 myserver postfix/smtpd[28438]: public/cleanup socket: 
wanted attribute: (list terminator)
Oct 11 14:18:29 myserver postfix/smtpd[28438]: input attribute name: (end)
Oct 11 14:18:29 myserver postfix/smtpd[28438]: send attr flags = 178
Oct 11 14:18:29 myserver postfix/smtpd[28438]: 72A291AC2BB: 
client=unknown[183.88.25.99], sasl_method=PLAIN, 
sasl_username=kuku at myserver.org
Oct 11 14:18:29 myserver postfix/smtpd[28438]: > unknown[183.88.25.99]: 
250 2.1.5 Ok
Oct 11 14:18:29 myserver postfix/smtpd[28438]: < unknown[183.88.25.99]: DATA
Oct 11 14:18:29 myserver postfix/smtpd[28438]: > unknown[183.88.25.99]: 
354 End data with <CR><LF>.<CR><LF>
Oct 11 14:18:31 myserver postfix/cleanup[28460]: 72A291AC2BB: 
message-id=<A4FBB24A-6D53-4CB2-A868-2894C6BED06E at myserver.org>
Oct 11 14:18:31 myserver postfix/qmgr[1317]: 72A291AC2BB: 
from=<prafle at myserver.org>, size=647, nrcpt=1 (queue active)
Oct 11 14:18:31 myserver postfix/smtpd[28438]: public/cleanup socket: 
wanted attribute: status
Oct 11 14:18:31 myserver postfix/smtpd[28438]: input attribute name: status
Oct 11 14:18:31 myserver postfix/smtpd[28438]: input attribute value: 0
Oct 11 14:18:31 myserver postfix/smtpd[28438]: public/cleanup socket: 
wanted attribute: reason
Oct 11 14:18:31 myserver postfix/smtpd[28438]: input attribute name: reason
Oct 11 14:18:31 myserver postfix/smtpd[28438]: input attribute value: (end)
Oct 11 14:18:31 myserver postfix/smtpd[28438]: public/cleanup socket: 
wanted attribute: (list terminator)
Oct 11 14:18:31 myserver postfix/smtpd[28438]: input attribute name: (end)
Oct 11 14:18:31 myserver postfix/smtpd[28438]: > unknown[183.88.25.99]: 
250 2.0.0 Ok: queued as 72A291AC2BB
Oct 11 14:18:32 myserver postfix/smtpd[28438]: < unknown[183.88.25.99]: 
MAIL FROM:<irish_brenda at myserver.org>
Oct 11 14:18:32 myserver postfix/smtpd[28438]: extract_addr: input: 
<irish_brenda at myserver.org>
Oct 11 14:18:32 myserver postfix/smtpd[28438]: smtpd_check_addr: 
addr=irish_brenda at myserver.org
Oct 11 14:18:32 myserver postfix/smtpd[28438]: send attr request = rewrite
Oct 11 14:18:32 myserver postfix/smtpd[28438]: send attr rule = local
Oct 11 14:18:32 myserver postfix/smtpd[28438]: send attr address = 
irish_brenda at myserver.org
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: flags
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: flags
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute value: 0
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: address
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: address
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute value: 
irish_brenda at myserver.org
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: (list terminator)
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: (end)
Oct 11 14:18:32 myserver postfix/smtpd[28438]: rewrite_clnt: local: 
irish_brenda at myserver.org -> irish_brenda at myserver.org
Oct 11 14:18:32 myserver postfix/smtpd[28438]: send attr request = resolve
Oct 11 14:18:32 myserver postfix/smtpd[28438]: send attr sender =
Oct 11 14:18:32 myserver postfix/smtpd[28438]: send attr address = 
irish_brenda at myserver.org
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: flags
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: flags
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute value: 0
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: transport
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: 
transport
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute value: lmtp
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: nexthop
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: nexthop
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute value: 
unix:private/dovecot-lmtp
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: recipient
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: 
recipient
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute value: 
irish_brenda at myserver.org
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: flags
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: flags
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute value: 1024
Oct 11 14:18:32 myserver postfix/smtpd[28438]: private/rewrite socket: 
wanted attribute: (list terminator)
Oct 11 14:18:32 myserver postfix/smtpd[28438]: input attribute name: (end)
Oct 11 14:18:32 myserver postfix/smtpd[28438]: resolve_clnt: `' -> 
`irish_brenda at myserver.org' -> transp=`lmtp' 
host=`unix:private/dovecot-lmtp' rcpt=`irish_brenda at myserver.org' flags= 
class=virtual
Oct 11 14:18:32 myserver postfix/smtpd[28438]: ctable_locate: install 
entry key irish_brenda at myserver.org
/dov



Frage mich jetzt, ob es ein relaying gab oder mein System u.U. gehackt 
wurde.

Grüße
Christoph

Mehr Informationen über die Mailingliste Dovecot