I'm running postfix with opendkim. My opendkim milter is running on port 10029.
CORRECTION: My opendkim milter is running on a unix socket, and there is a DKIM content filter set up on port 10029.
Just today, I started seeing messages like this appearing in my postfix log ...
2023.11.01 21:29:40 hippo postfix/smtp[29756]: EBBA428F83B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10029, delay=0.94, delays=0.78/0.01/0.04/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B71ED28F83C)
It appears that some people have figured out how to use my opendkim milter as an open relay. Or am I somehow misinterpreting this log message?
My postfix server itself is not an open relay, and smtp can only be initiated via authentication.
If I am correct in guessing that opendkim is being used as an open relay, is this a known problem? Or if I'm totally misunderstanding what's going on, can anyone help me understand what's actually happening with those seemingly relayed messages?
Thank you very much.
UPDATE: Could it be that someone discovered that 10029 is an open port, and that it's possible to misuse DKIM's listening port in order to relay emails?
If so, do I simply need to do the following in order to only enable port 10029 access from localhost? ...
iptables -I INPUT -p tcp --dport 10029 -j DROP
iptables -I INPUT -s 127.0.0.1 -p tcp --dport 10029 -j ACCEPT
It turns out that the iptables fix indeed corrected my problem, although I had originally posted the commands in the wrong order. Should be this way ...
But the more basic problem that I needed solve was as follows:
Long ago I switched from
DKIMproxy
toopendkim
.My milter setup is already properly using a unix socket for
opendkim
connectivity, but there was some old, left-over code inmaster.cf
that referencesDKIMproxy
that I forgot to delete, as follows:All I needed to do was delete everything from the
-o content_filter=dksign:[127.0.0.1]:10029
line to the end of the listed code block, and the problem went away.And, of course, after that, I don't need the
iptables
commands any more.The reason I never saw this problem until now is probably that someone must have recently discovered the open 10029 port that had been sitting around since a long time ago.