LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-19-2010, 06:20 AM   #1
bob808
LQ Newbie
 
Registered: Jan 2009
Posts: 25

Rep: Reputation: 15
postfix spam. someone is using my server to send spam and it's not open relay


Hello. I have an Ubuntu 9.04 server with postfix/courier installed. Last week I had thousands of spam in mailq and alot of connections on port 25. I got on many blacklists and I try to get rid of this problem.
My configuration is pretty tight and I am not an open relay. Can you tell me please what should I do? Last time happened 5 days ago, I just closed port 25 and cleared the mailq and added some stuff at "smtpd_recipient_restrictions" but now it happened again. If my server isn't an open relay, how could this happen?

Here's my configuration and some text from the logs


/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/newssl/1/cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/newssl/1/key.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtpd_tls_ask_ccert = yes
#smtpd_tls_req_ccert = no
smtp_tls_cert_file = /etc/postfix/ssl/newssl/2/cert.pem
smtp_tls_key_file = /etc/postfix/ssl//newssl/2/key.pem
smtp_tls_CAfile = /etc/postfix/ssl/newssl/2/cacert.pem

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

mydomain = mail.xxx.ro
myhostname = mail.xxx.ro
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#$mydomain
mydestination = /etc/postfix/local-host-names
relayhost =
#$mydomain
mynetworks = 127.0.0.0/8
mynetworks_style = host
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 50000000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
#smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
soft_bounce = yes
smtpd_recipient_limit = 100
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_tls_auth_only = no
#smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/newssl/1/cacert.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#message_size_limit = 52400000
virtual_maps = hash:/etc/postfix/virtusertable

/etc/postfix/master.cf


#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o message_size_limit=25000000
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o message_size_limit=25000000
# -o smtpd_tls_wrappermode=yes
smtps inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_tls_wrappermode=yes
-o message_size_limit=25000000
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}



/var/log/mail.log




Mar 18 20:49:43 server1 postfix/smtp[10076]: 4BAF83CC22D: to=<ebenezer.b@ideefixe.com>, relay=smtp-gate.ebiuniverse.com[212.154.28.211]:25, delay=10869, delays=10832/36/0.78/0.12, dsn=4.0.0, status=SOFTBOUNCE (host smtp-gate.ebiuniverse.com[212.154.28.211] said: 553 sorry, this recipient is not in my validrcptto list (#5.7.1) (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10323]: 40F883CC0D5: to=<curren.misti@lottobuilder.com>, relay=mail.lottobuilder.com[129.121.117.2]:25, delay=13544, delays=13507/34/0.55/2, dsn=4.1.1, status=SOFTBOUNCE (host mail.lottobuilder.com[129.121.117.2] said: 550 5.1.1 sorry, no mailbox here by that name (chkuser) (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10858]: 40F883CC0D5: to=<curra.mariele@techie.com>, relay=mailin-02.mx.aol.com[64.12.90.65]:25, delay=13544, delays=13507/35/0.77/1.5, dsn=4.1.1, status=SOFTBOUNCE (host mailin-02.mx.aol.com[64.12.90.65] said: 550 5.1.1 <curra.mariele@techie.com>: Recipient address rejected: techie.com (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10582]: 4BAF83CC22D: to=<ebetak@microstore.fr>, relay=mailhost.microstore.fr[195.68.51.122]:25, delay=10869, delays=10832/36/0.35/0.21, dsn=4.0.0, status=SOFTBOUNCE (host mailhost.microstore.fr[195.68.51.122] said: 554 Transaction failed (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10639]: 4BAF83CC22D: to=<ebickleman@nomblot.fr>, relay=mx-vh.fr.clara.net[80.168.44.17]:25, delay=10869, delays=10832/37/0.26/0.07, dsn=4.0.0, status=SOFTBOUNCE (host mx-vh.fr.clara.net[80.168.44.17] said: 550 "ebickleman@nomblot.fr" is not a known user (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10260]: 4BAF83CC22D: to=<eberlein.tristian@naj.com.pl>, relay=av.waw.cdp.pl[62.89.91.146]:25, delay=10869, delays=10832/37/0.34/0.09, dsn=4.7.1, status=SOFTBOUNCE (host av.waw.cdp.pl[62.89.91.146] said: 550 5.7.1 <eberlein.tristian@naj.com.pl>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries. (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[9342]: Host offered STARTTLS: [post.dp-media.de]
Mar 18 20:49:43 server1 postfix/smtp[10252]: 40F883CC0D5: to=<curran.r@21cn.net>, relay=mta.21cn.net[59.36.102.89]:25, delay=13544, delays=13507/34/3/0.62, dsn=4.0.0, status=SOFTBOUNCE (host mta.21cn.net[59.36.102.89] said: 550 ?no such user (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[9705]: connect to gruene.isar.de[67.215.65.132]:25: Connection timed out
Mar 18 20:49:43 server1 postfix/smtp[9705]: 172113CC27D: to=<emka@gruene.isar.de>, relay=none, delay=9870, delays=9833/7.2/30/0, dsn=4.4.1, status=deferred (connect to gruene.isar.de[67.215.65.132]:25: Connection timed out)
Mar 18 20:49:43 server1 postfix/smtp[10323]: Host offered STARTTLS: [marsoul.univ-paris5.fr]
Mar 18 20:49:43 server1 postfix/smtp[10323]: 4BAF83CC22D: to=<eberto.k@psycho.univ-paris5.fr>, relay=marsoul.univ-paris5.fr[193.51.86.84]:25, delay=10869, delays=10832/37/0.2/0.06, dsn=4.0.0, status=SOFTBOUNCE (host marsoul.univ-paris5.fr[193.51.86.84] said: 550 <eberto.k@psycho.univ-paris5.fr>: Recipient address rejected: User unknown (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10079]: 4BAF83CC22D: to=<eberhard.m@mail.energetyka.kalisz.pl>, relay=none, delay=10868, delays=10832/36/0.14/0, dsn=4.4.1, status=deferred (connect to dns.energetyka.kalisz.pl[193.243.146.15]:25: Connection refused)
Mar 18 20:49:43 server1 postfix/smtp[10351]: 4BAF83CC22D: to=<ebettley@laso.com.ar>, relay=mail.laso.com.ar[200.11.113.130]:25, delay=10869, delays=10832/36/1/0.3, dsn=4.1.1, status=SOFTBOUNCE (host mail.laso.com.ar[200.11.113.130] said: 550 5.1.1 <ebettley@laso.com.ar>: Recipient address rejected: User unknown in relay recipient table (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10572]: 4BAF83CC22D: to=<eberl877@backproblems.com>, relay=smtp.secureserver.net[216.69.186.201]:25, delay=10870, delays=10832/35/2.1/0.39, dsn=4.0.0, status=SOFTBOUNCE (host smtp.secureserver.net[216.69.186.201] said: 550 #5.1.0 Address rejected eberl877@backproblems.com (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10260]: connect to spacestat.com[216.240.187.151]:25: Connection refused
Mar 18 20:49:43 server1 postfix/smtp[10582]: 4BAF83CC22D: to=<eberhard50@sensor.com.pl>, relay=poczta.sensor.com.pl[212.160.170.2]:25, delay=10870, delays=10832/37/0.26/0.23, dsn=4.0.0, status=SOFTBOUNCE (host poczta.sensor.com.pl[212.160.170.2] said: 550 <eberhard50@sensor.com.pl>: Recipient address rejected: User unknown in virtual alias table (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10323]: 4BAF83CC22D: to=<ebenezer.g@tmt.de>, relay=mx.tmt.de[217.145.99.51]:25, delay=10870, delays=10832/37/0.21/0.05, dsn=4.1.1, status=SOFTBOUNCE (host mx.tmt.de[217.145.99.51] said: 550 5.1.1 <ebenezer.g@tmt.de>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command))
Mar 18 20:49:43 server1 postfix/smtp[10358]: 40F883CC0D5: to=<currie.kuehn@evonline.net>, relay=evonline.net[208.109.199.187]:25, delay=13545, delays=13507/34/0.63/3.2, dsn=4.0.0, status=SOFTBOUNCE (host evonline.net[208.109.199.187] said: 550 sorry, no mailbox here by that name. (#5.7.17) (in reply to RCPT TO command))
Mar 18 20:49:44 server1 postfix/smtp[10079]: 4161A3CC22B: host hrndva-smtpin01.mail.rr.com[71.74.56.243] refused to talk to me: 554 5.7.1 - ERROR: Mail refused - <xxx.xxx.xxx.xxx> - See http://security.rr.com/cgi-bin/block...xx.xxx.xxx.xxx
Mar 18 20:49:44 server1 postfix/smtp[10582]: connect to cluster3.eu.messagelabs.com[85.158.139.67]:25: Connection refused
Mar 18 20:49:44 server1 postfix/smtp[10079]: 4161A3CC22B: to=<easy@cinci.rr.com>, relay=hrndva-smtpin02.mail.rr.com[71.74.56.244]:25, delay=10880, delays=10842/37/0.59/0, dsn=4.7.1, status=deferred (host hrndva-smtpin02.mail.rr.com[71.74.56.244] refused to talk to me: 554 5.7.1 - ERROR: Mail refused - <xxx.xxx.xxx.xxx> - See http://security.rr.com/cgi-bin/block...xx.xxx.xxx.xxx)
Mar 18 20:49:44 server1 postfix/smtp[10582]: Host offered STARTTLS: [cluster3.eu.messagelabs.com]
Mar 18 20:49:44 server1 postfix/smtp[10064]: 475003CC235: to=<eda.rodenburg@hkcable.com.hk>, relay=mail.hkcable.com.hk[61.10.0.169]:25, delay=10815, delays=10776/31/6.4/0.74, dsn=4.1.1, status=SOFTBOUNCE (host mail.hkcable.com.hk[61.10.0.169] said: 550 5.1.1 <eda.rodenburg@hkcable.com.hk>... User unknown (in reply to RCPT TO command))
Mar 18 20:49:44 server1 postfix/smtp[9363]: Host offered STARTTLS: [about.com.mail9.psmtp.com]
Mar 18 20:49:44 server1 postfix/smtp[10079]: 4161A3CC22B: to=<earvin.citro@erfolgskonzept.com>, relay=mxlb.ispgateway.de[80.67.18.126]:25, delay=10881, delays=10842/38/0.19/0.06, dsn=4.0.0, status=SOFTBOUNCE (host mxlb.ispgateway.de[80.67.18.126] said: 554 Sorry, no mailbox here by that name. (in reply to RCPT TO command))
Mar 18 20:49:44 server1 postfix/smtp[10582]: 4161A3CC22B: to=<earthman.zebadiah@diageo.com>, relay=cluster3.eu.messagelabs.com[194.106.220.51]:25, delay=10881, delays=10842/38/0.38/0.28, dsn=4.0.0, status=SOFTBOUNCE (host cluster3.eu.messagelabs.com[194.106.220.51] said: 553-Message filtered. Please see the FAQs section on spam 553-at http://www.messagelabs.com/support/ for more 553 information. (#5.7.1) (in reply to end of DATA command))
Mar 18 20:49:44 server1 postfix/smtp[10358]: 4161A3CC22B: to=<easey.isak@email.it>, relay=mx.email.it[212.97.34.36]:25, delay=10881, delays=10842/38/0.35/0.15, dsn=4.1.1, status=SOFTBOUNCE (host mx.email.it[212.97.34.36] said: 550 5.1.1 <easey.isak@email.it>: Recipient address rejected: User unknown (in reply to RCPT TO command))
Mar 18 20:49:44 server1 postfix/smtp[10260]: 4BAF83CC22D: to=<ebenezer.b@spacestat.com>, relay=none, delay=10870, delays=10832/37/0.42/0, dsn=4.4.1, status=deferred (connect to spacestat.com[216.240.187.151]:25: Connection refused)
Mar 18 20:49:44 server1 postfix/smtp[10568]: connect to rollenspieltreff.de[148.160.29.10]:25: Connection timed out
Mar 18 20:49:44 server1 postfix/smtp[10568]: 172113CC27D: to=<emilio.pellegrino@rollenspieltreff.de>, relay=none, delay=9872, delays=9833/8.4/30/0, dsn=4.4.1, status=deferred (connect to rollenspieltreff.de[148.160.29.10]:25: Connection timed out)



/var/log/mail.info


Mar 19 11:42:45 server1 postfix/smtp[11312]: EA7EE3CC2C8: to=<f.lausberg@wdr.de>, relay=smtp41.wdr.de[149.219.195.41]:25, delay=62577, delays=62368/208/0.28/0.09, dsn=4.0.0, status=SOFTBOUNCE (host smtp41.wdr.de[149.219.195.41] said: 550 #5.1.0 Address rejected f.lausberg@wdr.de (in reply to RCPT TO command))
Mar 19 11:42:46 server1 postfix/smtp[12076]: Host offered STARTTLS: [mailgate.stone-rich.at]
Mar 19 11:42:46 server1 postfix/smtp[10547]: connect to listeningparty.tv[67.215.65.132]:25: Connection timed out
Mar 19 11:42:46 server1 postfix/smtp[11822]: EA7EE3CC2C8: to=<f.kruesmann@spectralite.ca>, relay=mx1.xittel.net[205.151.16.100]:25, delay=62577, delays=62368/208/0.65/0.17, dsn=4.0.0, status=SOFTBOUNCE (host mx1.xittel.net[205.151.16.100] said: 554 Service unavailable; Client host [xxxx.ro] blocked using Barracuda Reputation; http://www.barracudanetworks.com/reputation/?r=1&ip= (in reply to RCPT TO command))
Mar 19 11:42:46 server1 postfix/smtp[10547]: 87B123CC951: to=<jg-soft@listeningparty.tv>, relay=none, delay=39042, delays=38832/180/30/0, dsn=4.4.1, status=deferred (connect to listeningparty.tv[67.215.65.132]:25: Connection timed out)
Mar 19 11:42:46 server1 postfix/smtp[11822]: EA7EE3CC2C8: lost connection with mx1.xittel.net[205.151.16.100] while sending DATA command
Mar 19 11:42:46 server1 postfix/smtp[11224]: EA7EE3CC2C8: to=<f.kueppers@misteradgood.de>, relay=none, delay=62576, delays=62368/208/0.12/0, dsn=4.4.1, status=deferred (connect to misteradgood.de[80.81.243.184]:25: Connection refused)
Mar 19 11:42:46 server1 postfix/smtp[12076]: EA7EE3CC2C8: to=<f.lincoln@i-net.at>, relay=mailgate.stone-rich.at[80.75.240.147]:25, delay=62577, delays=62368/207/2.2/0.13, dsn=4.0.0, status=SOFTBOUNCE (host mailgate.stone-rich.at[80.75.240.147] said: 550 <f.lincoln@i-net.at>, Recipient unknown (in reply to RCPT TO command))
Mar 19 11:42:46 server1 postfix/smtp[11224]: E5B903CC13C: host cdptpa-smtpin01.mail.rr.com[75.180.132.243] refused to talk to me: 554 5.7.1 - ERROR: Mail refused - <> - See http://security.rr.com/cgi-bin/block-lookup?
Mar 19 11:42:46 server1 postfix/smtp[10547]: E5B903CC13C: to=<dbig@dublinia.ie>, relay=mail.dublinia.ie[82.195.156.10]:25, delay=66190, delays=65980/209/0.26/0.15, dsn=4.0.0, status=SOFTBOUNCE (host mail.dublinia.ie[82.195.156.10] said: 550 Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command))
Mar 19 11:42:46 server1 postfix/smtp[12079]: 9F9463CC3EF: lost connection with gbrsecurity.telesp.net.br[200.171.222.88] while receiving the initial server greeting
Mar 19 11:42:46 server1 postfix/smtp[11656]: connect to online-hacker.de[216.8.179.23]:25: Connection timed out
Mar 19 11:42:46 server1 postfix/smtp[11656]: 87B123CC951: to=<jguvj@online-hacker.de>, relay=none, delay=39042, delays=38832/180/30/0, dsn=4.4.1, status=deferred (connect to online-hacker.de[216.8.179.23]:25: Connection timed out)
Mar 19 11:42:46 server1 postfix/smtp[12032]: EA7EE3CC2C8: to=<f.kruesmann@tvv.volley.de>, relay=mxa.volley.de[62.146.95.134]:25, delay=62577, delays=62368/208/1.3/0.1, dsn=4.3.0, status=SOFTBOUNCE (host mxa.volley.de[62.146.95.134] said: 553 5.3.0 <f.kruesmann@tvv.volley.de>... No such user here (in reply to RCPT TO command))
Mar 19 11:42:46 server1 postfix/smtp[11822]: E5B903CC13C: to=<dbenevento@crosswinds.net>, relay=mx3.crosswinds.net[8.21.33.47]:25, delay=66190, delays=65980/209/0.5/0.15, dsn=4.7.1, status=SOFTBOUNCE (host mx3.crosswinds.net[8.21.33.47] said: 554 5.7.1 <dbenevento@crosswinds.net>: Recipient address rejected: Access denied (in reply to RCPT TO command))
Mar 19 11:42:46 server1 postfix/smtp[11224]: E5B903CC13C: to=<dbifalco2@ec.rr.com>, relay=cdptpa-smtpin02.mail.rr.com[75.180.132.244]:25, delay=66190, delays=65980/209/0.66/0, dsn=4.7.1, status=deferred (host cdptpa-smtpin02.mail.rr.com[75.180.132.244] refused to talk to me: 554 5.7.1 - ERROR: Mail refused - <> - See http://security.rr.com/cgi-bin/block-lookup?)
 
Old 03-19-2010, 11:01 PM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Your logs show the mail being delivered (via smtp), but they don't show how it was submitted. Maybe you can focus on one, e.g. the one with queue id 4BAF83CC22D, and find all references to it in your mail logs. Something like
Code:
grep 4BAF83CC22D /var/log/mail*
And, try to use code tags as in the grep command above like this: [code]grep 4BAF83CC22D /var/log/mail*[/code]
 
Old 03-21-2010, 08:47 PM   #3
10speed705
Member
 
Registered: May 2009
Location: Ontario Canada
Distribution: debian
Posts: 56

Rep: Reputation: 17
have you ran test to verify its not open? with a config like that i would imagine...also maybe a user/pass was compromised on ur outgoing auth
 
Old 03-22-2010, 05:00 AM   #4
bob808
LQ Newbie
 
Registered: Jan 2009
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Berhanie View Post
Your logs show the mail being delivered (via smtp), but they don't show how it was submitted. Maybe you can focus on one, e.g. the one with queue id 4BAF83CC22D, and find all references to it in your mail logs. Something like
Code:
grep 4BAF83CC22D /var/log/mail*
And, try to use code tags as in the grep command above like this: [code]grep 4BAF83CC22D /var/log/mail*[/code]
Ok I did this. I attached some of the output
I did some test on abuse.net for open relay but it said that my server is not an open relay. I even made an account there so test is fully performed
Attached Files
File Type: txt grep.txt (18.9 KB, 399 views)
 
Old 03-22-2010, 06:40 AM   #5
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
The first line in the attachment has good information. It shows that the client had authenticated using the username listed. His IP address is also logged.
 
Old 03-23-2010, 03:48 AM   #6
bob808
LQ Newbie
 
Registered: Jan 2009
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Berhanie View Post
The first line in the attachment has good information. It shows that the client had authenticated using the username listed. His IP address is also logged.
Yes, I changed that user's password and I also banned that IP. Until now everything looks good. Hope it stays that way. Thank you very much for your info!
 
Old 03-23-2010, 09:44 AM   #7
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
You're welcome.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
My postfix server is beeing used to send large ammounts of spam. bob808 Linux - Security 11 05-27-2009 03:25 AM
LXer: Mandriva Postfix Anti-Spam, Anti-Virus Relay Server for Exchange Server 2000/2003 LXer Syndicated Linux News 0 06-29-2006 10:21 AM
Spam, PostFix, OPen Relay question linchat Linux - Software 1 09-15-2005 03:22 PM
procmail and spam -- do not send out of office auto replay to spam draix Linux - Software 0 12-30-2004 08:35 AM
Anti Spam Software for a Send Mail Relay thecrab Linux - Software 1 08-06-2003 09:19 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration