Resolved Email hacked question

[Jayson]

Hello,

Centos 7
postfix
Just had a customer have their email hacked and used to send spam. I was surprised to see maillog shows the sasl_username used for sending was the email alias and not the actual user account.

Is this by design? Or, does it indicate a configuration issue?

Thanks,

 

[UFHH01]

Hi Jayson,

Or, does it indicate a configuration issue?

Hard to "guess", because you don't provide actual configuration files, nor do you provide depending log - entries from your mail - logs, which could be investigated.

 

[Jayson]

That's why I only asked if the sasl_username could be the alias. If yet, then I'm not going to do any digging past talking to the mail user.

(changed customer domain to domain.org)
Nov 27 18:27:17 bigserv postfix/smtpd[24475]: A334E90E3B: client=unknown[155.133.82.113], sasl_method=CRAM-MD5, [email protected]

Customer account is actually [email protected] yet maillog is filled with entries like the above. Once I saw the alias I changed the password on the user email account and the spam stopped. I wanted to know if it's possible for someone to use an alias for the sasl_username.

Thank you,

 

[UFHH01]

Hi Jayson,

an alias - eMail - account is pretty much the same, as a "normal" eMail - account, just with the difference, that the alias - eMail - account has no own mail - directory on the server. Both usernames can be used as authentification and both usernames use the same password.

 

[Jayson]

Thank you, I was hoping that was the case.