LinuxQuestions.org - Question about Postfix Log Entry

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Question about Postfix Log Entry (https://www.linuxquestions.org/questions/linux-server-73/question-about-postfix-log-entry-527325/)

[resolved] Question about Postfix Log Entry

I have a web server running Postfix for my mail server. I am the only user setup with mail accounts on the box, but I do have a bunch of aliases, a few of which go to other people. I use Thunderbird as a mail client and I have it setup to send my email through Gmail's SMTP servers (I have a gmail account) instead of connecting to my own box.

I also have Logwatch setup to email me a report every day. I am currently seeing records like this:

Code:

3134C641B9: host SMTP1.lerelaisinternet.com[194.206.126.201] said: 

450 <vnlawi@horspistes.fr>: Recipient address rejected: Greylisted 

for 5 minutes (in reply to RCPT TO command)

Now, this doesn't make sense to me. Why would my machine be trying to send email to vnlawi@horspistes.fr? I am not sending anything to that address.

I guess I don't understand the log entries. I am trying to make sure that my machine is not compromised.

Thanks.

looks like you're being used, or trying to be used, as an open relay. check what http://www.abuse.net/relay.html says about your relaying status. I'm not too familiar with the errors there but it looks like postfix has correctly blocked the relaying anyway.

Chris,

Thanks for the response. I have used the tools at dnsstuff.com to check for being an open relay and that check has came out clean. You said that "it looks like postfix has correctly blocked the relaying anwyay." I guess that is what I don't really understand. I have seen relaying denied log entries, they look like this:

Code:

Relaying denied:

  From 61-216-81-33.dynamic.hinet.net[61.216.81.33] to candy59839@yahoo.com.tw : 3 Time(s)

The log entry in question seems to indicate that Postfix is actually trying to deliver the email. It has looked up the MX record for horspistes.fr and is trying to deliver the message. Their mail server, SMTP1.lerelaisinternet.com, then responded to my postfix server with the 450 message. Why would my postfix server be trying to deliver the message? Shouldn't it see that vnlawi@horspistes.fr is not a valid email address on my local machine, is not in the relaying allowed domains, and issue a relaying denied message?

Thanks.

Look in the logs to see what submitted the message. It might be a cron job (from a previous admin), an alias, etc.

Ok, I greped the logs for that email address and here is what I found:

Code:

[root@myhost log]# grep "horspistes.fr" *

maillog.1:Feb  9 07:30:05 myhost postfix/smtp[24865]: 3134C641B9: host SMTP1.lerelaisinternet.com[194.206.126.201] said: 450 <vnlawi@horspistes.fr>: Recipient address rejected: Greylisted for 5 minutes (in reply to RCPT TO command)

maillog.1:Feb  9 07:30:07 myhost postfix/smtp[24865]: 3134C641B9: to=<vnlawi@horspistes.fr>, relay=SMTP2.lerelaisinternet.com[194.206.126.203], delay=3, status=deferred (host SMTP2.lerelaisinternet.com[194.206.126.203] said: 450 <vnlawi@horspistes.fr>: Recipient address rejected: Greylisted for 5 minutes (in reply to RCPT TO command))

maillog.1:Feb  9 07:54:45 myhost postfix/smtp[24962]: 3134C641B9: to=<vnlawi@horspistes.fr>, relay=SMTP1.lerelaisinternet.com[194.206.126.201], delay=1481, status=sent (250 Ok: queued as 5AE0134004)

It looks to me like that email actually got delivered? I really don't understand these log entries. Thank you for your help.

Yes, that email was eventually delivered. Now, you have to check the logs to see how that email was submitted in the first place.
grep for the queue id (3134C641B9).

Thank you Berhanie for the suggestion to use the queue id. That was the missing peace of the puzzle for me.

I traced this to a form on one of my websites that allows people to sign up to be on a mailing list and then sends them a confirmation email. Apparently, there are bots out there submitting the form with junk information and that is why I am seeing these records. I will have to implement some kind of form submission protection.

Many thanks!