Piratage boîte mail?

Mon serveur YunoHost

Matériel: Raspberry Pi à la maison /
Version de YunoHost: 4.0.8.2
J’ai accès à mon serveur : En SSH | Par la webadmin
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : non

Mail piraté ?

Bonjour,
Un soucis avec les mails du serveur Yunohost. Je suis derrière une freebox. Cela fait un moment que l’adresse est blacklistée car le reverse dns de free ne marche pas bien. Depuis peu, des personnes ont reçu des mails de spam avec l’adresse mail du serveur que je n’ai pas envoyé.
Je viens de changer tous les mots de passe du serveur dans un premier temps pour peut-être sécurisé un éventuel piratage.
Je suis en cours de demander un VPN chez ARN pour utiliser Client_VPN par la suite et déblacklister lers mails… Mais en attendant, j’espère ne pas avoir été piraté…

voici des messages de Diagnosis sur les problèmes de DNS pour le mail

          - Current reverse DNS: XX-XX-XX-XX.subs.proxad.net
Expected value: mydomain.tld
          - You should first try to configure the reverse DNS with mydomain.tld in your internet router interface or your hosting provider interface. (Some hosting provider may require you to send them a support ticket for this).
          - Some providers won't let you configure your reverse DNS (or their feature might be broken...). If you are experiencing issues because of this, consider the following solutions:
 - Some ISP provide the alternative of using a mail server relay though it implies that the relay will be able to spy on your email traffic.
- A privacy-friendly alternative is to use a VPN *with a dedicated public IP* to bypass this kind of limits. See https://yunohost.org/#/vpn_advantage
- Or it's possible to switch to a different provider
        status: ERROR
        summary: The reverse DNS is not correctly configured in IPv4. Some emails may fail to get delivered or may get flagged as spam.
      3: 
        details: 
          - You should first try to configure the reverse DNS with mydomain.tld in your internet router interface or your hosting provider interface. (Some hosting provider may require you to send them a support ticket for this).
          - Some providers won't let you configure your reverse DNS (or their feature might be broken...). If your reverse DNS is correctly configured for IPv4, you can try disabling the use of IPv6 when sending emails by running 'yunohost settings set smtp.allow_ipv6 -v off'. Note: this last solution means that you won't be able to send or receive emails from the few IPv6-only servers out there.
        status: ERROR
        summary: No reverse DNS is defined in IPv6. Some emails may fail to get delivered or may get flagged as spam.
      4: 
        details: 
          - The blacklist reason is: "https://matrix.spfbl.net/XX.XX.XX.XX"
          - After identifying why you are listed and fixed it, feel free to ask for your IP or domaine to be removed on https://spfbl.net/en/dnsbl/
        status: ERROR
        summary: Your IP or domain XX.XX.XX.XX is blacklisted on SPFBL.net RBL
      5: 
        status: WARNING
        summary: Too many pending emails in mail queue (107 emails)
$ sudo cat /var/log/mail.err
Nov 23 13:40:31 mydomain dovecot: lda(user@mydomain.tld)<21471><lb6cAb+tu1/fUwAAVYPLjw>: Error: sieve: msgid=unspecified: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 23 13:40:31 mydomain dovecot: lda(user@mydomain.tld)<21471><lb6cAb+tu1/fUwAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Nov 23 16:16:38 mydomain dovecot: lda(user@mydomain.tld)<22964><CxOnHVbSu1+0WQAAVYPLjw>: Error: sieve: msgid=<message-10617836-636305828-166100-10040@mail5.wcm-msb.tld>: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 23 16:16:38 mydomain dovecot: lda(user@mydomain.tld)<22964><CxOnHVbSu1+0WQAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Nov 24 15:37:57 mydomain dovecot: lda(user@mydomain.tld)<5325><iJaKAcUavV/NFAAAVYPLjw>: Error: sieve: msgid=<1606228674.ge4toobngmzc2nbqgaztcna@e.infos-actushopping.tld>: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 24 15:37:57 mydomain dovecot: lda(user@mydomain.tld)<5325><iJaKAcUavV/NFAAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Nov 25 11:23:05 mydomain dovecot: lda(user@mydomain.tld)<24501><mRW3Lokwvl+1XwAAVYPLjw>: Error: sieve: msgid=<3003A379DE744E8BABC66BA4676B681E@LenovoPC>: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 25 11:23:05 mydomain dovecot: lda(user@mydomain.tld)<24501><mRW3Lokwvl+1XwAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful
Nov 26 00:55:08 mydomain dovecot: lda(user@mydomain.tld)<1906><EbY3LNzuvl9yBwAAVYPLjw>: Error: sieve: msgid=<em3d4af818-07fa-4a76-8d50-342968e02a50@alans>: failed to store into mailbox 'Junk': Mailbox doesn't exist: Junk
Nov 26 00:55:08 mydomain dovecot: lda(user@mydomain.tld)<1906><EbY3LNzuvl9yBwAAVYPLjw>: Error: sieve: Execution of script /etc/dovecot/global_script/rspamd.sieve failed, but implicit keep was successful

Je ne sais pas où chercher pour savoir si le serveur a pu être piraté… Peut-être fau-t-il chercher avec fail2ban ??

Je précise aussi que tout ceci concerne le serveur d’un ami et que je suis son administrateur…

Voici les messages reçus qui l’inquiète:

Depuis presque une semaine, je reçois plus d’une cinquantaine de messages comme ci-dessous. Et plusieurs personnes m’ont contacté pour me dire qu’elles avaient reçu un message étrange de ma part. Cela peut il avoir un lien avec mon serveur ?

This is the mail system at host domain.tld. I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system 7653223147@txt.att.net: host mx3b.txt.att.net[166.216.152.132] said: 550 5.1.1 7653223147@txt.att.net recipient does not exist here. (in reply to RCPT TO command) 7753796439@txt.att.net: host mx3b.txt.att.net[166.216.152.132] said: 550 5.1.1 7753796439@txt.att.net recipient does not exist here. (in reply to RCPT TO command)

Reporting-MTA: dns; domain.tld X-Postfix-Queue-ID: 5977620D1 X-Postfix-Sender: rfc822; user@domain.tld Arrival-Date: Thu, 26 Nov 2020 02:40:45 +0100 (CET) Final-Recipient: rfc822; 7653223147@txt.att.net Original-Recipient: rfc822;7653223147@txt.att.net Action: failed Status: 5.1.1 Remote-MTA: dns; mx3b.txt.att.net Diagnostic-Code: smtp; 550 5.1.1 7653223147@txt.att.net recipient does not exist here. Final-Recipient: rfc822; 7753796439@txt.att.net Original-Recipient: rfc822;7753796439@txt.att.net Action: failed Status: 5.1.1 Remote-MTA: dns; mx3b.txt.att.net Diagnostic-Code: smtp; 550 5.1.1 7753796439@txt.att.net recipient does not exist here.

.eml

De :

ocgscntrc user@domain.tld
Date :

26/11/2020 à 02:40

Pour :

5137877158@vtext.com, 7143143933@usamobility.net, 7147673656@txt.att.net, 4708910182@vtext.com, 7757624722@txt.att.net, 2162193013@vtext.com, 5133353177@vtext.com, 5134979206@vtext.com, 5135435663@vtext.com, 9494669179@txt.att.net, 7753796439@txt.att.net, 5626828553@tmomail.net, 9802419040@vtext.com, 9725338903@txt.att.net, 7653223147@txt.att.net, 4074519653@txt.att.net, 8043896105@vtext.com, 8165203639@vtext.com, 5857640588@txt.att.net, 4027190733@vtext.com

You have received an important announcement regarding your Facebook acc.: http://rann-ghjyjpyoz.integra-sols.hr

J’ajoute ce constat, en lisant ce topic My Yunohost hacked / Yunohost piratée j’ai regardé une quelques suggestions:

D’abord ceci:

# find /var/spool/postfix/deferred -type f | wc -l
107

# mailq
donne ces logs https://paste.yunohost.org/exawaveval.pl

Je ne sais pas vraiment ce que veux dire cela ??
Est-ce une queue d’attente de mails qui n’ont pas été envoyés ??

Ici des logs de /var/log/auth.log https://paste.yunohost.org/suregexoyu.cs
Est-ce que je dois comprendre qu’une personne extérieure essaie de se connecter en root ? J’avoue être inquiet.

Mouaibon il faut faire attention car dans les logs que tu cites, il y a des choses “normales” (dans auth.log, avoir des tentatives de bruteforce en root, ça arrive sur n’importe quel serveur, c’est pour ça qu’il y a fail2ban et qu’on désactive le login en root par défaut…)

Par contre effectivement, que y’ai pleins de trucs bizarre dans mailq, ça c’est chelou. Pour creuser + à mon avis il faut regarder tail -n 1000 /var/log/mail.{log,info,err} (par contre fais gaffe car il peut y’avoir des infos privées là dedans)

Ok, j’ai ceci avec cette commande: https://paste.yunohost.org/uzuqovepuz.vbs
je ne sais pas si ça apporte quelquechose ??

Autre chose anormale…
Dans sa boîte roundcube, il y a plusieurs fichiers. Je sais qu’il utilise Thunderbird comme client local pour regarder ces mails. Je constaste qu’il a deux rangées de fichiers sur son interface Rouncube. Moi aussi j’utilise Roundcube et Thunderbird en local et je n’ai pas cela… Je joint une capture d’écran:

Je fais cela pour une personne, ce n’est pas pour moi…

A mon avis il manque des bouts … Tu es sur d’avoir tapé la commande que j’ai mis et d’avoir partagé toute la sortie ? Il devrait y’avoir au moins 1000 lignes … (et pas sur que ça suffise)

Bon il faut faire gaffe aussi à pas partir en full-paranoia et penser que toutes les choses “anormales” sont liées à une attaque informatique qui n’a pas encore démontrée. En l’occurence là ça ne semble avoir aucun rapport si ce n’est que c’est l’UI du client mail…

Attention avec les screens rodlinux, il y a manifestement l’identité d’une personne (ton ami ?) dans un des dossiers de roundcube.

Pense à anonymiser tes screens d’un coup de paint avant de poster :slight_smile:

Ok, bon, ce n’était pas grand chose, mais merci de préciser…

Heu, oui, peut-être… En fait j’ai du changer des paramètres de mon terminal pour pouvoir aller plus haut dans la sortie… Du coup beaucoup de lignes ici:
https://paste.yunohost.org/enikicojiq.scala

Sinon un détail, peut-être important ?? Au début de l’installation de ce serveur, j’avais édité le fichier /etc/postfix/main.conf avec ces lignes:

relayhost = smtp.free.fr
compatibility_level = 2

Depuis que nous avons fait la migration vers Buster Yunohost 4, il y a de cela environ 2 mois, j’ai fait un regen-conf postfix (et commenter ces lignes en bas pour m’en souvenir). Il me semble que ce ne soit plus la peine d’utiliser ce type de configuration…
Quoi que je vois des topics récents où est encore utiliser cette méthode. je vais quand même remettre juste la première ligne là où la ligne est vide, relayhost

Est-ce que

grep -nr "auth=1" /var/log/mail.info*

retourne des choses ?

Oui: hastebin

Je viens d’essayer de remettre la ligne:

relayhost = smtp.free.fr

dans /etc/postfix/main.conf et de redémarrer postfix, du coup je vois une floppée d’erreurs dans la boîte mail…
MAIL-DEAMON@domain.tld

This is the mail system at host lucchareyron.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<2163755375@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<5038398672@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<5094993646@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<5136808993@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7026828121@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7027685990@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7142734784@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7143505452@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7148120147@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7168661545@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<9186061259@txt.att.net>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1
    Spam Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<2055683608@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<2164104360@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<2165367172@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<2708559801@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<3365809663@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<3367076984@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<4043136083@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<4045614387@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<4192058917@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<4192804726@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<4407598668@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<5106726612@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<5204712048@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<5856837264@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<5858800173@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<6013746906@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<6083459762@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<6304504617@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7022750009@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7024496642@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<7145876515@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<8136904058@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<9099575447@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<9196044263@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<9736003606@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)

<9805253195@vtext.com>: host smtp.free.fr[2a01:e0c:1::25] said: 550 5.7.1 Spam
    Detected - Mail Rejected.  Please see our policy at:
    http://postmaster.free.fr/#spam_detected (in reply to end of DATA command)
Reporting-MTA: dns; lucchareyron.com
X-Postfix-Queue-ID: 752081C49
X-Postfix-Sender: rfc822; luccourriel@lucchareyron.com
Arrival-Date: Wed, 25 Nov 2020 18:58:35 +0100 (CET)

Final-Recipient: rfc822; 2163755375@txt.att.net
Original-Recipient: rfc822;2163755375@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 5038398672@txt.att.net
Original-Recipient: rfc822;5038398672@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 5094993646@txt.att.net
Original-Recipient: rfc822;5094993646@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 5136808993@txt.att.net
Original-Recipient: rfc822;5136808993@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7026828121@txt.att.net
Original-Recipient: rfc822;7026828121@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7027685990@txt.att.net
Original-Recipient: rfc822;7027685990@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7142734784@txt.att.net
Original-Recipient: rfc822;7142734784@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7143505452@txt.att.net
Original-Recipient: rfc822;7143505452@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7148120147@txt.att.net
Original-Recipient: rfc822;7148120147@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7168661545@txt.att.net
Original-Recipient: rfc822;7168661545@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 9186061259@txt.att.net
Original-Recipient: rfc822;9186061259@txt.att.net
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 2055683608@vtext.com
Original-Recipient: rfc822;2055683608@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 2164104360@vtext.com
Original-Recipient: rfc822;2164104360@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 2165367172@vtext.com
Original-Recipient: rfc822;2165367172@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 2708559801@vtext.com
Original-Recipient: rfc822;2708559801@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 3365809663@vtext.com
Original-Recipient: rfc822;3365809663@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 3367076984@vtext.com
Original-Recipient: rfc822;3367076984@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 4043136083@vtext.com
Original-Recipient: rfc822;4043136083@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 4045614387@vtext.com
Original-Recipient: rfc822;4045614387@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 4192058917@vtext.com
Original-Recipient: rfc822;4192058917@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 4192804726@vtext.com
Original-Recipient: rfc822;4192804726@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 4407598668@vtext.com
Original-Recipient: rfc822;4407598668@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 5106726612@vtext.com
Original-Recipient: rfc822;5106726612@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 5204712048@vtext.com
Original-Recipient: rfc822;5204712048@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 5856837264@vtext.com
Original-Recipient: rfc822;5856837264@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 5858800173@vtext.com
Original-Recipient: rfc822;5858800173@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 6013746906@vtext.com
Original-Recipient: rfc822;6013746906@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 6083459762@vtext.com
Original-Recipient: rfc822;6083459762@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 6304504617@vtext.com
Original-Recipient: rfc822;6304504617@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7022750009@vtext.com
Original-Recipient: rfc822;7022750009@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7024496642@vtext.com
Original-Recipient: rfc822;7024496642@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 7145876515@vtext.com
Original-Recipient: rfc822;7145876515@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 8136904058@vtext.com
Original-Recipient: rfc822;8136904058@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 9099575447@vtext.com
Original-Recipient: rfc822;9099575447@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 9196044263@vtext.com
Original-Recipient: rfc822;9196044263@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 9736003606@vtext.com
Original-Recipient: rfc822;9736003606@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Final-Recipient: rfc822; 9805253195@vtext.com
Original-Recipient: rfc822;9805253195@vtext.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; smtp.free.fr
Diagnostic-Code: smtp; 550 5.7.1 Spam Detected - Mail Rejected.  Please see our
    policy at: http://postmaster.free.fr/#spam_detected

Du coup, j’enlève cette ligne et je remet comme avant:

relayhost =

Du coup regardons un peu plus en détails les lignes autour, en rajoutant -C5 :

sudo grep -nr -C5 "auth=1" /var/log/mail.info*

Ce qui m’inquiète entre autre c’est ce message de Diagnosis:

3: 
        status: WARNING
        summary: Too many pending emails in mail queue (107 emails)

Ce serait des messages qui n’arrivent pas en réception ou à être envoyés ??

https://paste.yunohost.org/iqogezipab.scala

Et quand c’est marqué “sasl_username=user”, c’est toi qui a remplacé le vrai “user” que y’avais avant, ou bien c’est le vrai message original ?

oui, j’ai remplacé l’utilisateur…

Bon beh du coup naivement je vois pas mal d’IP différentes dans le log qui se sont authentifié avec cet utilisateur … Donc perso je pencherais pour un mot de passe pas très sécurisé qui a permis à un attaquant de s’authentifier sur le serveur mail et de l’utiliser comme relai de spam …

Si tu veux voir les IP associées, tu peux faire un

grep -nr "sasl_username" /var/log/mail.info  | grep -E -o "client=\S*" | sort | uniq -c

(pas besoin de partager les infos, c’est juste pour toi si tu veux continuer à creuser … mais en regardant 2-3 IP sur https://www.ip-tracker.org/ je vois qu’il y en a en Chine alors bon)

Par contre je vais supprimer les logs que tu as posté sur paste.yunohost.org car y’a un peu trop d’infos privées