最近,dovecot 开始将一些帐户收到的所有电子邮件的副本重新发送到未经授权的电子邮件地址:[email protected]。显然消息是在本地生成的(127.0.0.1),但我无法找出它是在哪里或如何生成的。
Mar 26 19:37:44 sd-4XXXX postfix/cleanup[21014]: 64BA6E182985: message-id=<[email protected]>
Mar 26 19:37:44 sd-4XXXX postfix/qmgr[26225]: 64BA6E182985: from=<[email protected]>, size=15412, nrcpt=1 (queue active)
Mar 26 19:37:46 sd-4XXXX postfix/smtpd[21022]: connect from localhost[127.0.0.1]
Mar 26 19:37:46 sd-4XXXX postfix/smtpd[21022]: E1743E1839D6: client=localhost[127.0.0.1]
Mar 26 19:37:46 sd-4XXXX postfix/cleanup[21014]: E1743E1839D6: message-id=<[email protected]>
Mar 26 19:37:46 sd-4XXXX postfix/smtpd[21022]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Mar 26 19:37:46 sd-4XXXX postfix/qmgr[26225]: E1743E1839D6: from=<[email protected]>, size=16476, nrcpt=1 (queue active)
Mar 26 19:37:46 sd-4XXXX amavis[32748]: (32748-11) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [8X.8X.6X.3X]:55254 [8X.8X.6X.3X] <[email protected]> -> <[email protected]>, Queue-ID: 64BA6E182985, Message-ID: <[email protected]>, mail_id: Buvs90Q9JFpr, Hits: -2.898, size: 15412, queued_as: E1743E1839D6, dkim_new=default:mydomain.com, 2353 ms
Mar 26 19:37:46 sd-4XXXX postfix/smtp[21015]: 64BA6E182985: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.6, delays=0.23/0.01/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as E1743E1839D6)
Mar 26 19:37:46 sd-4XXXX postfix/qmgr[26225]: 64BA6E182985: removed
Mar 26 19:37:47 sd-4XXXX postfix/pickup[831]: 0CA2BE1851F7: uid=5000 from=<[email protected]>
Mar 26 19:37:47 sd-4XXXX dovecot: lda([email protected]): sieve: msgid=<[email protected]>: forwarded to <[email protected]>
Mar 26 19:37:47 sd-4XXXX postfix/cleanup[21014]: 0CA2BE1851F7: message-id=<[email protected]>
Mar 26 19:37:47 sd-4XXXX postfix/qmgr[26225]: 0CA2BE1851F7: from=<[email protected]>, size=16711, nrcpt=1 (queue active)
Mar 26 19:37:47 sd-4XXXX dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX'
Mar 26 19:37:47 sd-4XXXX postfix/pipe[21023]: E1743E1839D6: to=<[email protected]>, relay=dovecot, delay=0.27, delays=0.04/0.02/0/0.22, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 26 19:37:47 sd-4XXXX postfix/qmgr[26225]: E1743E1839D6: removed
Mar 26 19:37:49 sd-4XXXX postfix/smtpd[21033]: connect from localhost[127.0.0.1]
Mar 26 19:37:49 sd-4XXXX postfix/smtpd[21033]: 0113FE182985: client=localhost[127.0.0.1]
Mar 26 19:37:49 sd-4XXXX postfix/cleanup[21014]: 0113FE182985: message-id=<[email protected]>
Mar 26 19:37:49 sd-4XXXX postfix/smtpd[21033]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Mar 26 19:37:49 sd-4XXXX postfix/qmgr[26225]: 0113FE182985: from=<[email protected]>, size=17040, nrcpt=1 (queue active)
Mar 26 19:37:49 sd-4XXXX amavis[32627]: (32627-11) Passed CLEAN {RelayedOutbound}, LOCAL [127.0.0.1] [8X.8X.6X.3X] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: 4g8Irz6LJmCW, Hits: -3.098, size: 16711, queued_as: 0113FE182985, dkim_sd=default:mydomain.com, 1985 ms
Mar 26 19:37:49 sd-4XXXX postfix/smtp[21015]: 0CA2BE1851F7: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=0.12/0/0/2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0113FE182985)
Mar 26 19:37:49 sd-4XXXX postfix/qmgr[26225]: 0CA2BE1851F7: removed
编辑 1 我在服务器中安装了 ISPConfig 3,并且这些电子邮件帐户在 cc 字段中有非授权地址 ([email protected]),我已经删除了这些条目,但问题仍然存在。
编辑 2
经过一番研究,我发现 dovecot sieve 被配置为将这些电子邮件重定向到有问题的地址。我检查了 /var/vmail/destindomain.com/info/.sieve 中的文件,我可以找到redirect "[email protected]"显然是从 ispconfig 创建的行,但是当我通过 ispconfig 界面修改条目时没有删除。
我终于找到了答案:
我在服务器中安装了 ISPConfig 3,并且这些电子邮件帐户在 cc 字段中具有非授权地址。不知何故,ISPConfig 受到了损害,他们登录并更改了这些值。更改 ISPConfig 界面中的值后,问题仍然存在,因此我 grep /etc 中的所有文件以查找某些内容,瞧!我可以在 /var/vmail/destdomain.com/info/.sieve 中找到规则:
删除那条线解决了它。
我现在正在检查是否有更多损坏,同时,我在 ISPConfig 登录中添加了一个 fail2ban 正则表达式。