• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved SMTP SASL Unknown User sending spam?

ScottGoddard

ScottGoddard

Basic Pleskian
It seems I have a problem with SMTP authorisation and my server is sending out spam from a user that does not seem to exist. The logfile below has been anonimised and show one of the spam emails sent.

As far as I can see there is no user called 'barry' within Plesk although it does form part of other usernames such as '[email protected]' or '[email protected]'

Any ideas how to resolve this? How do I find and delete/change password for this user?

Jun 14 11:36:59 myservername postfix/smtpd[7267]: D6FED6C2BD: client=unknown[106.76.218.41], sasl_method=PLAIN, sasl_username=barry
Jun 14 11:37:01 myservername postfix/cleanup[7198]: D6FED6C2BD: message-id=<[email protected]>
Jun 14 11:37:01 myservername postfix/qmgr[8066]: D6FED6C2BD: from=<[email protected]>, size=720, nrcpt=1 (queue active)
Jun 14 11:37:03 myservername postfix/smtp[7173]: D6FED6C2BD: to=<[email protected]>, relay=targetdomain-co-uk.mail.protection.outlook.com[213.199.180.170]:25, delay=3.9, delays=2/0/0.47/1.4, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> [InternalId=131322920045177, Hostname=DBXPR07MB431.eurprd07.prod.outlook.com] 8268 bytes in 0.172, 46.939 KB/sec Queued mail for delivery)
Jun 14 11:37:03 myservername postfix/qmgr[8066]: D6FED6C2BD: removed
 
Hi ScottGoddard,

ScottGoddard said:
As far as I can see there is no user called 'barry' within Plesk although it does form part of other usernames such as '[email protected]' or '[email protected]'
Click to expand...
If you desire help from the Plesk Community, it is essential, that you provide your current configuration files, so that we are able to investigate your root cause of your issue, together with you. At the moment, we can only guess, that you missed to configure postfix correctly. :(
 
Postfix has been completely configured by Plesk. I have not edited anything manually.

OS: CentOS 6.9 (Final)‬
Product: Plesk Onyx - Version 17.5.3 Update #9, last updated on June 13, 2017 06:23 PM

The server originally started out as Plesk 10 (I think) and has been updated/upgraded over the years.

I have included main.cf and master.cf (changed to .txt for upload). Unfortunately you do not say which configuration files you require so please let me know what else you need.
 

Attachments

  • main.cf.txt
    28.9 KB · Views: 5
  • master.cf.txt
    5.9 KB · Views: 7
Hi ScottGoddard,

your current configuration
Code: 
...
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
...
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
...
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
...
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org
...

misses for example:
Code: 
...
smtp_tls_security_level = may
smtp_use_tls = no

smtpd_tls_security_level = may
smtpd_use_tls = yes

smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = no

...

smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
...

Furthermore, I recommend to use:
Code: 
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Code: 
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
 
I have added in the extra lines and reloaded Postfix but it is still allowing the spam to send :(

Should I have deleted any of the other lines or just add in the ones that were not there?
 
Hi ScottGoddard,

ScottGoddard said:
Should I have deleted any of the other lines or just add in the ones that were not there?
Click to expand...
You are able to check double entries in your configuration file, by using the SEARCH - option of your used software. Pls. be informed, that later double entries replace the former ones in your postfix configuration files. ;)

Pls. check as well your Plesk settings at:

=> HOME > Tools & Settings > Mail - Server Settings > Relaying

... where you have the option to CLOSE relaying or to setup "authorization is required" with the additional option "SMTP"​


If you updated/upgraded Plesk from previous versions, it can be as well a good idea to change postfix to qmail and backwards to qmail again, so that completely fresh and recommended configuration files are being installed and configured, instead of adding/uncommenting settings in your current configuration files.
The same suggestion is as well applicable for dovecot / courier-imap. ;)


If you made any changes to your configuration files and STILL experiences issues, pls. keep in mind, that you now have to add the NEW configuration files, in order to give people willing to help you the chance to investigate the NEW configuration files. ;)
The very same for your statement:
ScottGoddard said:
but it is still allowing the spam to send
Click to expand...
Pls. provide the NEW corresponding entries from your mail.log, so that people willing to help you are able to investigate the issue.

Another usefull information is certainly the IP and the FQDN, because people willing to help you are then able to investigate far more, then what you actually provide as informations. ;)
 
I have switched over to Qmail and that is rejecting the spam as 'Invalid mail address' so it looks as though that has resolved the problem for now. I would prefer to switch back to Postfix eventually but it remains to be seen if the problem will reoccur.

It seems to me that that SASL had an errant (possibly a legacy from past version?) user named 'barry' that did not appear in Plesk but was still active in SASL. Is this possible? If I understand it correctly, the SASL usernames and information is stored in DB files located at /var/spool/postfix/plesk? Is there any way to verify their contents?
 
Hi ScottGoddard,

in earlier times, the command:

Code: 
/usr/local/psa/admin/sbin/mchk --with-spam

could have solved your issues, because this should re-create the SASL db and it's keys, getting the configured and allowed eMail - accounts from your Plesk database.
With Plesk Onyx ( and since Plesk 12 ), you should now use the "Plesk Repair Utility" ( => Plesk Repair Utility ) with the option:
Code: 
plesk repair mail -v

or

plesk repair mail -y -v

ScottGoddard said:
It seems to me that that SASL had an errant (possibly a legacy from past version?) user named 'barry' that did not appear in Plesk but was still active in SASL. Is this possible?
Click to expand...
Could be, but could as well be some Plesk database inconsistencies, or possible previous misconfigurations.

ScottGoddard said:
Is there any way to verify their contents?
Click to expand...
As mentioned before, you have the option to use the "Plesk Repair Utility". ;)


ScottGoddard said:
I would prefer to switch back to Postfix eventually but it remains to be seen if the problem will reoccur.
Click to expand...
During the process to switch the mail software, a re-creation of the SASL - db and it's keys is included. ;)
 
You must log in or register to reply here.

Similar threads

W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
496
W4ru
W
G
Question Unable to send emails via phpmailler (codeigniter) smtp to hotmail.
Replies
2
Views
3K
Grepher76
G
D
Issue Server is sending spam
Replies
5
Views
5K
Bitpalast
Bitpalast
J
Issue PHPMailer - X-PPP-Vhost header is changed to subscription-domain and causes DMARC reject
Replies
1
Views
5K
japjay
J
JordyB
Resolved Receiving wrong mails
Replies
2
Views
1K
JordyB
JordyB
Back
Top