How can a Postfix/Dovecot(ssl)/Apache/Roundcube(non-ssl) setup leak email addresses?

Posted by Jens Björnhager on Server Fault See other posts from Server Fault or by Jens Björnhager
Published on 2010-04-27T22:33:17Z Indexed on 2010/04/27 22:43 UTC
Read the original article Hit count: 471

Filed under:

email

|

emailserver

|

webmail

|

security

I have a linux box email server with Postfix as the MTA, Dovecot as the IMAP server and Apache with Roundcube as webmail.

In my /etc/postfix/aliases I have just above a hundred different aliases which makes as many email addresses on my domain. I use one address per website so I easily can shut down spam infested addresses.

During the half a year or so that I have had this setup, I have received 3 spam from 2 sources. As I know exactly where I entered this address, it should be easy to pinpoint email leaking websites and services.

However, these sources are, according to me, not likely email sellers. And for one of them to sell my email twice? I contacted one of the sources and they are adamant that their system is tight. They suggested the possibility that it is my server that is doing the leaking.

So, my question is:

How likely is it that my box is leaking email addresses, and how?

I don't store fully qualified email addresses anywhere in my system except in my maildir.
I use SSL connection to IMAP
I do not use https on webmail

© Server Fault or respective owner

Related posts about email

CRM 2011 - Workflows Vs JavaScripts

as seen on Programmers - Search for 'Programmers'
In the Contact entity, I have the following attributes Preferred email - A read only field of type Email Personal email 1 - An email field Personal email 2 - An email field Work email 1 - An email field Work email 2 - An email field School email - An email field Other email - An email field Preferred… >>> More
Sending Email in Android using JavaMail API without using the default android app(Builtin Email app

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi Folks, I am trying to create a mail sending application in android, If I use `Intent emailIntent = new Intent(android.content.Intent.ACTION_SEND`); This will launch the builtin application of android, I'm trying to send the mail on button click directly without using this app, Please any suggestions… >>> More
Processing Email in Outlook

as seen on Daniel Moth - Search for 'Daniel Moth'
A. Why Goal 1 = Help others: Have at most a 24-hour response turnaround to internal (from colleague) emails, typically achieving same day response. Goal 2 = Help projects: Not to implicitly pass/miss an opportunity to have impact on electronic discussions around any project on the radar. Not achieving… >>> More
Processing Email in Outlook

as seen on Daniel Moth - Search for 'Daniel Moth'
A. Why Goal 1 = Help others: Have at most a 24-hour response turnaround to internal (from colleague) emails, typically achieving same day response. Goal 2 = Help projects: Not to implicitly pass/miss an opportunity to have impact on electronic discussions around any project on the radar. Not achieving… >>> More
email is moved to junk-email folder even though sender is listed as safe

as seen on Super User - Search for 'Super User'
Using Outlook-2007 : Added a sender as safe sender, but still the email from that id goes to junk-email folder. Tried resetting all settings and restarted outlook . any ideas ? Thanks! >>> More

Related posts about emailserver

using own mail server with external domain and dns. Now have internal dns. dkim test not working

as seen on Server Fault - Search for 'Server Fault'
I am not very knowledgeable in this area, but have been able to make great head way. Now i am stuck I setup my own mail server, e.g mailbox.example.com. I had the domain dns point to my mail server in my office. i was able to set up everything working fine. such as dkim and spf records. Recently… >>> More
What exactly is a X-YMailISG header?

as seen on Server Fault - Search for 'Server Fault'
Finally ... our emails are being seen by Yahoo! not as junk anymore. Hurray! However I notice that the Yahoo! receiving MTA adds in a X-YMailISG header. It's very large ... 2**10 bits? Now that I've invested too large a chunk of my waking life in crafting our email headers I'm curious to know… >>> More
Dovecot: no auth attempts in 0 secs (IMAP protocol)

as seen on Server Fault - Search for 'Server Fault'
I'm having a lot of problems configuring dovecot ony vps. I'm already able to send email using port 110 and to receive email using port 25, but I can't connect using port 993 and 995. I'm using self-signed ssl certificates. When I try to connect to 993 this error is logged: Jun 8 19:06:39 MY_HOSTNAME… >>> More
Transfer all 1&1 web and e-mail services to own Synology NAS using No-IP for DDNS

as seen on Server Fault - Search for 'Server Fault'
I have a domain x-treem.net. The registrar is DomainDiscover and I have a hosting package with 1&1 which includes web and e-mail. I also have an additional package with 1&1 - Microsoft Exchange which centralises all my e-mails, tasks, contacts, notes, etc. and I connect to it with my PC (Outlook)… >>> More
Postfix unable to create lock file, permission denied

as seen on Server Fault - Search for 'Server Fault'
I thought I had my postfix configuration all set up on my Amazon Ubuntu server but I guess not. I'm trying to set up an admin email account for 3 virtually hosted Apache websites. Here's my postfix main.cf file: myhostname = ip-XX-XXX-XX-XXX.us-west-2.compute.internal alias_maps = hash:/etc/aliases alias_database… >>> More