Server sending spam to qq.com once in a while from internal ip address

anghenil

Hey,

a few days ago I received a ton of bounced emails from qq.com and found out my server was sending spam mails from <a-random-name>@mydomain for ~ an hour. Seems like the emails didn’t get send from an email account, since postfix reports the connection was from fd4d:6169:6c63:6f77::1, the gateway address from the mailcow docker network.

Postfix log entry:
May 22 04:12:29 232961be80c2 postfix/smtpd[18947]: 796271E00190: client=unknown[fd4d:6169:6c63:6f77::1] May 22 04:12:30 232961be80c2 postfix/cleanup[18967]: 796271E00190: message-id=<202305221012227097421@mydomain> May 22 04:12:33 232961be80c2 postfix/qmgr[375]: 796271E00190: from=<jimmy@mydomain>, size=48850, nrcpt=1 (queue active) May 22 04:12:37 232961be80c2 postfix/smtp[18968]: 796271E00190: to=<1756267751@qq.com>, relay=mx3.qq.com[203.205.219.57]:25, delay=12, delays=8.3/0.06/1.5/2.1, dsn=2.0.0, status=sent (250 OK: queued as.) May 22 04:12:37 232961be80c2 postfix/qmgr[375]: 796271E00190: removed

My first thought was that those emails were coming from another docker container so I cleaned up and remove some containers. However, there was an outgoing spam wave again this night for ~ 1h.

Do you have any idea how I can identify the source of those spam mails? I’m currently running maldetect…

Additional informations:
iptables –list output:
`Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW all – anywhere anywhere
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (7 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.24.0.3 tcp dpt:http
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:irdmi
ACCEPT tcp – anywhere 172.18.0.3 tcp dpt:http
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.8 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.10 tcp dpt:pcsync-https
ACCEPT tcp – anywhere 172.22.1.10 tcp dpt:sunproxyadmin
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submission
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:urd
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:smtp
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:italk
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (7 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination`

docker network inspect mailcowdockerized_mailcownetwork:
[ { "Name": "mailcowdockerized_mailcow-network", "Id": "fdc20ab0b4637dd768724f0074705a813277e28c85bba0f847939af78a0cf90f", "Created": "2023-05-18T14:07:24.243697311+02:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": true, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.22.1.0/24" }, { "Subnet": "fd4d:6169:6c63:6f77::/64" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "02ab874412f97c8cdf9785e979c00abbf9be01623cab5756621f00efae00569c": { "Name": "mailcowdockerized-sogo-mailcow-1", "EndpointID": "b8a71edfc9746ddce19a981c6d416874c64b0dff77888fa0338eacb52289a698", "MacAddress": "02:42:ac:16:01:f8", "IPv4Address": "172.22.1.248/24", "IPv6Address": "fd4d:6169:6c63:6f77::5/64" }, "144b0454ce4e1beb5edef1ec8d79c9e12a88cf36001da01bafca5620fdfb4d6b": { "Name": "mailcowdockerized-unbound-mailcow-1", "EndpointID": "f8f4d9b758c5227a6a0b67eb91ca961316110c23521ae36571b10b67909e3c5b", "MacAddress": "02:42:ac:16:01:fe", "IPv4Address": "172.22.1.254/24", "IPv6Address": "fd4d:6169:6c63:6f77::7/64" }, "206b24574822a9347914a4f2522f5c3d929fc153a1ca4c4aaff68e2b9847abe5": { "Name": "mailcowdockerized-memcached-mailcow-1", "EndpointID": "5f73b008b1c8e3e2dcb601309d05fbfebac54255890a167cdea96eaa78f9d034", "MacAddress": "02:42:ac:16:01:04", "IPv4Address": "172.22.1.4/24", "IPv6Address": "fd4d:6169:6c63:6f77::6/64" }, "232961be80c2335516e036da49cd4d47816b42d386676349c05d8283fae0f1db": { "Name": "mailcowdockerized-postfix-mailcow-1", "EndpointID": "6edfa4a58fe42eb98331a4253978048b38f349aa951256e388fe78cff38bc188", "MacAddress": "02:42:ac:16:01:fd", "IPv4Address": "172.22.1.253/24", "IPv6Address": "fd4d:6169:6c63:6f77::e/64" }, "2507525a782a2dad6d056e43ea238e161174da28097227f7e2753c7a1f3b3d7d": { "Name": "mailcowdockerized-clamd-mailcow-1", "EndpointID": "e1774d920827ae36988aeb8ed2726df85001001006e85aa547468ae60f6fc2ea", "MacAddress": "02:42:ac:16:01:09", "IPv4Address": "172.22.1.9/24", "IPv6Address": "fd4d:6169:6c63:6f77::c/64" }, "26948dbf7a973a3f0838843e04421daf447e42ccfb98858ba460caedfab2ac4e": { "Name": "mailcowdockerized-redis-mailcow-1", "EndpointID": "81821f54420bc3468e37f8b603deb50aa96706b9bfaf4b8ec7a9e96e095d85fc", "MacAddress": "02:42:ac:16:01:f9", "IPv4Address": "172.22.1.249/24", "IPv6Address": "fd4d:6169:6c63:6f77::4/64" }, "2c46104d0d99115383bf5765d975e5efc8ddc7850bf63bef417c4f42d31768c5": { "Name": "mailcowdockerized-watchdog-mailcow-1", "EndpointID": "563e4210a0092e3b62e5340a14cdc3a7983cd97ddb8a32c04a7a5f9066d5968a", "MacAddress": "02:42:ac:16:01:02", "IPv4Address": "172.22.1.2/24", "IPv6Address": "fd4d:6169:6c63:6f77::2/64" }, "5fe5c31fd2d6ddfbca675ee864c21c4a987f2682f5deed4349b2c39c0d55e376": { "Name": "mailcowdockerized-nginx-mailcow-1", "EndpointID": "c573a23fba8bff79a86f93474e55ce53bb5b369b644aad71fb8b96e348943f8f", "MacAddress": "02:42:ac:16:01:0a", "IPv4Address": "172.22.1.10/24", "IPv6Address": "fd4d:6169:6c63:6f77::d/64" }, "7062c765186a288f8b5c827161dabb6fc6d6372304f0955ee43581db620209b3": { "Name": "mailcowdockerized-olefy-mailcow-1", "EndpointID": "e03bd6ac473bda597a931869e848e6256d65322dad4a8ed7d1119d93af1a7ce9", "MacAddress": "02:42:ac:16:01:03", "IPv4Address": "172.22.1.3/24", "IPv6Address": "fd4d:6169:6c63:6f77::3/64" }, "8d9ade7c05e8a62d01598a2d6eae94447b80f7ab055ba66c9a056d0e597f0e26": { "Name": "mailcowdockerized-acme-mailcow-1", "EndpointID": "e099b134aaef95a8bd878b8caf5456d496898fd6663eb2b561a7c17d11a69ffe", "MacAddress": "02:42:ac:16:01:0b", "IPv4Address": "172.22.1.11/24", "IPv6Address": "fd4d:6169:6c63:6f77::10/64" }, "9328219dc71a2a6fdfff9a75c45b2e541b9a004af71af3f6f50e890587f5e656": { "Name": "mailcowdockerized-dockerapi-mailcow-1", "EndpointID": "b0c1931c0bb5ab7e29d697327ec3f179828493331e79fc898354118d4c0d4fd8", "MacAddress": "02:42:ac:16:01:05", "IPv4Address": "172.22.1.5/24", "IPv6Address": "fd4d:6169:6c63:6f77::8/64" }, "99842dcf4702076cbc3efa260b23fb327ff229282c006c1a28e50023aac39e9f": { "Name": "mailcowdockerized-solr-mailcow-1", "EndpointID": "b3992ac3d752dbf1b04a3db20193874adb7a4cebea5f548858c2c0fc9dc71888", "MacAddress": "02:42:ac:16:01:06", "IPv4Address": "172.22.1.6/24", "IPv6Address": "fd4d:6169:6c63:6f77::9/64" }, "c6f284594f51bd4ab185e4ff2cfa7332f4dc4952f8b5ea96aca369e12c2b4bdc": { "Name": "mailcowdockerized-mysql-mailcow-1", "EndpointID": "2c800e2a222b1e39f5989659b55f7755bd87b0f37c4714dafdbb9db352950e32", "MacAddress": "02:42:ac:16:01:08", "IPv4Address": "172.22.1.8/24", "IPv6Address": "fd4d:6169:6c63:6f77::b/64" }, "c9f5a7c60bc9af584394caf80854707ab2baa6069cf2fb11c3aba365e581b056": { "Name": "mailcowdockerized-ofelia-mailcow-1", "EndpointID": "f055f9bc0019a3f7876df52f39fe47bdea141f79003b6fa7908d598ec49a9ace", "MacAddress": "02:42:ac:16:01:0c", "IPv4Address": "172.22.1.12/24", "IPv6Address": "fd4d:6169:6c63:6f77::11/64" }, "cb67b83c4ae65cf3dfc2317b9d66c807fdd1d7af04a001d065d91fd606046dd2": { "Name": "mailcowdockerized-rspamd-mailcow-1", "EndpointID": "17e3fa6f59cae7b92bee9ab9a338f88f3c68df3d4740abe271e9133a4adbb7f7", "MacAddress": "02:42:ac:16:01:0d", "IPv4Address": "172.22.1.13/24", "IPv6Address": "fd4d:6169:6c63:6f77::12/64" }, "d6e1f04ae078b962ebb77283a7582821ff2c7d6240803e35903cfc95c232657b": { "Name": "mailcowdockerized-dovecot-mailcow-1", "EndpointID": "c3cf473b33dfb7a9e4568c00a9e116378c4e7b1f94c54531155d89ba669d6c7b", "MacAddress": "02:42:ac:16:01:fa", "IPv4Address": "172.22.1.250/24", "IPv6Address": "fd4d:6169:6c63:6f77::f/64" }, "fe20b95782bd1a4d7a07578fa95d2b4d357f150f7c7ba2cadf75adc295377441": { "Name": "mailcowdockerized-php-fpm-mailcow-1", "EndpointID": "4e31c6b94e138d6711ed87e389e3a44afa1e7ba147cc9400adb0b7d5f8c09f67", "MacAddress": "02:42:ac:16:01:07", "IPv4Address": "172.22.1.7/24", "IPv6Address": "fd4d:6169:6c63:6f77::a/64" } }, "Options": { "com.docker.network.bridge.name": "br-mailcow" }, "Labels": { "com.docker.compose.network": "mailcow-network", "com.docker.compose.project": "mailcowdockerized", "com.docker.compose.version": "2.18.0" } } ]

I didn’t change the postfix config manually.

Do you have any ideas?
Best anghenfil

datio

Looks like I have the same problem. domain.gr is my [REDACTED] placeholder.

The postfix logs include records like the following:

mailcowdockerized-postfix-mailcow-1 | Jul 21 11:17:18 a960c4f80b92 postfix/smtp[1234]: connect to webdisk.domain.gr[2a06:98c1:3121::3]:25: Cannot assign requested address

datio

The mxtoolbox reports there’s no open relay, but might it have something to do with either IPv6 or the fact it’s sending using a valid domain name?

ryan77627

Hey y’all, I was facing the same issue ~2 months ago. It was because I had IPv6 enabled but it was not being NAT’ed properly, meaning that postfix was allowing open relay sending when connecting over IPv6 since postfix allows “local” connections to be privileged and send without authentication by default. My interim solution in the short term was to just disable IPv6 since I had no use for it anyways and just wanted to stop my email server from sending more spam before I got myself on some blocklists and ruined my IP reputation. See below:

docker-compose.yml example:

...
networks:
  mailcow-network:
    enable_ipv6: false
...

Please note however this is a temporary solution and may(?) be wiped as soon as you run update.sh, so plan accordingly! I just updated from 2023-05a to 2023-07a and it did persist, but I do not know if that is the exception or the norm. I need to look into this issue on my end as soon as I have the time for a more permanent solution.

datio mxtoolbox doesn’t seem to check IPv6, I think? I can’t remember if I was even advertising an IPv6 address on an MX record when my domain got popped. Dunno

datio

@anghenil
Did you by any chance fix your issue?

I’m getting bombarded by such bounced messages:

BoneBunny

I also do have the same issue.
Jul 31 12:19:49 1a19efe6165e postfix/postscreen[9661]: CONNECT from [172.22.1.1]:49444 to [172.22.1.253]:25 Jul 31 12:19:49 1a19efe6165e postfix/postscreen[9661]: WHITELISTED [172.22.1.1]:49444 Jul 31 12:19:49 1a19efe6165e postfix/smtpd[9681]: connect from unknown[172.22.1.1] Jul 31 12:19:50 1a19efe6165e postfix/smtpd[9681]: 663E27C0777: client=unknown[172.22.1.1] Jul 31 12:19:51 1a19efe6165e postfix/cleanup[9685]: 663E27C0777: message-id=<df6e5c09aebe94245e403d8433511add@sanasafinaz.com> Jul 31 12:19:52 1a19efe6165e postfix/qmgr[377]: 663E27C0777: from=<unsubscribe@servername.example.com>, size=32999, nrcpt=1 (queue active) Jul 31 12:19:53 1a19efe6165e postfix/smtpd[9681]: disconnect from unknown[172.22.1.1] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Jul 31 12:19:54 1a19efe6165e postfix/smtp[9686]: Trusted TLS connection established to mx3.qq.com[203.205.219.57]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Jul 31 12:19:57 1a19efe6165e postfix/smtp[9686]: 663E27C0777: to=<959972995@qq.com>, relay=mx3.qq.com[203.205.219.57]:25, delay=7.6, delays=3/0.03/2.4/2.1, dsn=2.0.0, status=sent (250 OK: queued as.) Jul 31 12:19:57 1a19efe6165e postfix/qmgr[377]: 663E27C0777: removed
What makes me corious too, why is ti sending mails from unsubscribe@servername.example.com instead of unsubscribe@example.com for my configured domain?

esackbauer

What seems common is that those connections sending the mails are coming from the docker gateway IP (v4 or v6).
That would indicate that somthing is maybe source NATed on the firewall in front so that the public IP is lost.
Or it comes from within the Docker host itself (obviously not from any container).

Holger

ryan77627 I have had the same issue for several months, curiously the bounces only every came from qq.com - I’d imagine that if my server really was an open relay, spammers would send mail to a more diverse set of recipient? Anyway, the solution you proposed (disabling IPv6) did not work for me.

I spent several hours today trying to find what may be misconfigured on my machine. The only thing I found was that docker compose version showed a very old version (2.0.0). It’s possible that this old version had a network security vulnerability that is exploitable in rare circumstances. The version was old, because I had manually installed the docker compose plugin to /root/.docker/ when it first came out. I deleted this manual installation and replaced it with the official Ubuntu package docker-compose-plugin from the docker repository.

I don’t know whether this will solve the issue, but it’s worth a try if you experience it as well.

EDIT: 8 days later and the bounces seem to have disappeared for now.

esackbauer

Please note however this is a temporary solution and may(?) be wiped as soon as you run update.sh, so plan accordingly!

Yes, so far its kind of “official”:
https://docs.mailcow.email/post_installation/firststeps-disable_ipv6/?h=ipv6
I guess it mostly affects people who run a VPS which has automatically the IPv6 stack enabled.

antipode-mj

Hi, my first post here ;-)

I’ve too encountered this problem of openrelay on one of my servers and it was related to a missing configuration of my docker. It was a fairly old install (+/- 2 years) and the IPv6 part of the mailcow stack evolved and included some settings to be inserted in this particular file (Ubuntu here) :

/etc/docker/daemon.json

{ "ipv6":true, "fixed-cidr-v6":"fd00:dead:beef:c0::/80", "experimental":true, "ip6tables":true }
Once done, you’ll need to restart the docker service (service docker restart)or the whole server. This will stop and restart all your containers !

I think this part adjusts the networking stack to disable the openrelay. At least I can confirm it resolved my issue ! If anyone is able to confirm my analysis, I would be grateful.

This reconfiguration was suggested to me by the update.sh script, but it can be easily overseen ! I’m the one to blame ;-)

So please re enable the IPv6 on your installations and check the docker config, the IPv6 is faster and it’s the future !

Hope this helps.