LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-28-2011, 04:46 AM   #1
scottmusician
Member
 
Registered: Jul 2011
Location: Melbourne, AU
Distribution: Centos 5
Posts: 43

Rep: Reputation: Disabled
understanding /var/log/maillog


Hi everyone,

After developing my mail server for weeks, I finally redirected the DNS Servers to take it 'live' for a few hours of last week. The box runs dovecot/MailScanner/SpamAssassin/SASL/SSL/PostGrey and SquirrelMail , and is based on CentOS 5.6.

After a couple of hours online, I noticed some strange things happening in my MailLog, so I pulled the system offline to take a look. That said, in spite of reverting my DNS changes, I did leave my server 'online' (ie. not firewalled, publically viewable IP address) unwittingly for a few more days - reapplying the firewall just didn't cross my mind!)

Anyway, here are some examples of the /var/log/maillog entries. To me, it looks like I've been inadvertedly running as a realy for a short while - is this correct? If so, how can I improve my /etc/postfix/main.cf to cut this out? (the important bits of this file are posted below too).

example maillog output:
Code:
Oct 26 16:05:35 mail update.virus.scanners: Running autoupdate for generic
Oct 26 16:58:42 mail postfix/smtpd[29761]: warning: 91.99.119.156: hostname 91.99.119.156.parsonline.net verification failed: Name or service not known
Oct 26 16:58:42 mail postfix/smtpd[29761]: connect from unknown[91.99.119.156]
Oct 26 16:58:44 mail postgrey[3934]: action=pass, reason=recipient whitelist, client_name=unknown, client_address=91.99.119.156, sender=patxi.ryrie@nrcan.gc.ca, recipient=info@mydomain.com
Oct 26 16:58:44 mail postgrey[3934]: cleaning up old logs... 
Oct 26 16:58:44 mail postfix/smtpd[29761]: C9F05E26AF: client=unknown[91.99.119.156]
Oct 26 16:58:46 mail postfix/cleanup[29784]: C9F05E26AF: hold: header Received: from sjctef.com (unknown [91.99.119.156])??by mailserver.mydomain.com (Postfix) with ESMTP id C9F05E26AF??for <info@mydomain.com>; Wed, 26 Oct 2011 16:58:44 +1100 (EST) from unknown[91.99.119.156]; from=<patxi.ryrie@nrcan.gc.ca> to=<info@mydomain.com> proto=ESMTP helo=<sjctef.com>
Oct 26 16:58:46 mail postfix/cleanup[29784]: C9F05E26AF: message-id=<000e01cc51a2$8ed86580$9c77635b@nrcan.gc.ca>
Oct 26 16:58:47 mail postfix/smtpd[29761]: disconnect from unknown[91.99.119.156]
Oct 26 16:58:48 mail MailScanner[9105]: New Batch: Scanning 1 messages, 1767 bytes
and then:
Code:
Oct 26 17:02:07 mail postfix/anvil[29764]: statistics: max connection rate 1/60s for (smtp:91.99.119.156) at Oct 26 16:58:42
Oct 26 17:02:07 mail postfix/anvil[29764]: statistics: max connection count 1 for (smtp:91.99.119.156) at Oct 26 16:58:42
Oct 26 17:02:07 mail postfix/anvil[29764]: statistics: max cache size 1 at Oct 26 16:58:42
bottom part of /etc/postfix/main.cf:
Code:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#smtpd_recipient_restrictions =  permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient
#check_policy_service unix:postgrey/socket
smtpd_recipient_restrictions = 
  permit_mynetworks
  permit_sasl_authenticated  
  reject_unauth_destination 
  check_policy_service unix:postgrey/socket
broken_sasl_auth_clients = yes


smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_cert_file = /path/to/mydomain.crt
smtpd_tls_key_file = /path/to/mydomain.key
smptd_tls_chain_file = /path/to/gd_bundle.crt
tls_random_source = dev:/dev/urandom

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Last edited by scottmusician; 10-28-2011 at 08:09 AM.
 
Old 10-28-2011, 08:01 AM   #2
goossen
Member
 
Registered: May 2006
Location: Bayern, Germany
Distribution: Many
Posts: 224

Rep: Reputation: 41
If your worry is being an "open relay server", the answer is no.

The email recipient showing on your logs is info at anam.com.au, from your config I guess it's your domain name; so the recipient is valid, albeit clearly spam.

Besides tunning your SpamAssassin you can add these lines to your main.cf to stop some spam:
Code:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
 
Old 11-03-2011, 12:46 AM   #3
scottmusician
Member
 
Registered: Jul 2011
Location: Melbourne, AU
Distribution: Centos 5
Posts: 43

Original Poster
Rep: Reputation: Disabled
thanks for the advice!
 
  


Reply

Tags
hacked, maillog, postfix, sasl, spam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help... /var/log/maillog entries L1nuxn00b703 Linux - Newbie 1 10-07-2011 07:44 AM
/var/log/maillog is empty loftus49 Fedora 4 07-08-2010 01:21 AM
Sendmail won't log to /var/log/maillog zumajim Linux - Software 2 07-27-2009 03:38 PM
write mail log to /var/log/maillog jimmyjiang Red Hat 4 01-15-2008 07:18 PM
why is maillog on my server getting created in /var/log/maillog.3 ? weblink_dipti Linux - Software 2 06-16-2007 05:47 AM


All times are GMT -5. The time now is 03:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration