I have been finding a lot of "You are Not allowed to connect" messages in my maillog file.

and the email addresses are not in my forum database.

I've check my server for rootkits and there are none installed and I've also used mxtoolbox to test my server as an open relay and it says it's not an open relay.

however I am seeing bounces that show 'relay' and I wonder exactly what I'm looking at and and asking for some help in identifying the nature of these emails.

here's a few examples and they seem to come in 'spurts" when I'm tailing the maillog file.

there's never anything waiting in the queue to be delivered.


Jun 9 15:12:29 mysite postfix/smtp[13642]: 51EA914B90DE: to=<jake@jvanderlaan.110mb.com>, relay=none, delay=172540, delays=172538/0.98/0.32/0, dsn=4.4.1, status=deferred (connect to jvanderlaan.110mb.com[64.191.15.246]: Connection refused)
Jun 9 15:12:29 mysite postfix/smtp[13610]: 9D84914B8186: to=<jake@jvanderlaan.110mb.com>, relay=none, delay=56434, delays=56433/1/0.28/0, dsn=4.4.1, status=deferred (connect to jvanderlaan.110mb.com[64.191.15.246]: Connection refused)
Jun 9 15:12:29 mysite postfix/smtp[13613]: 70ECC14B812A: host chcspsym2.ads.northwestern.edu[129.105.238.70] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:29 mysite postfix/smtp[13658]: A7C4314B8115: host evcspsym3.ads.northwestern.edu[129.105.238.11] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:29 mysite postfix/smtp[13653]: A4C6D14B815F: host evcspsym1.ads.northwestern.edu[129.105.238.5] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13606]: 72BC614B814F: to=<BOB_BRECHLIN@CMICRO.COM>, relay=mail.CMICRO.COM[76.164.36.115]:25, delay=64412, delays=64410/0.8/0.69/0, dsn=4.7.1, status=deferred (host mail.CMICRO.COM[76.164.36.115] refused to talk to me: 554 5.7.1 You are not allowed to connect.)
Jun 9 15:12:30 mysite postfix/smtp[13639]: D12871E90214: host chcspsym1.ads.northwestern.edu[129.105.238.69] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13609]: 6DC0A14B82DD: host chcspsym1.ads.northwestern.edu[129.105.238.69] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13658]: A7C4314B8115: host evcspsym1.ads.northwestern.edu[129.105.238.5] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13613]: 70ECC14B812A: host evcspsym1.ads.northwestern.edu[129.105.238.5] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13653]: A4C6D14B815F: host chcspsym3.ads.northwestern.edu[129.105.238.75] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13639]: D12871E90214: host chcspsym2.ads.northwestern.edu[129.105.238.70] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13609]: 6DC0A14B82DD: host chcspsym3.ads.northwestern.edu[129.105.238.75] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13623]: 1CE8B14B80DA: host hqsmtp02.gpo.gov[162.140.64.7] refused to talk to me: 554 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13658]: A7C4314B8115: host chcspsym1.ads.northwestern.edu[129.105.238.69] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13613]: 70ECC14B812A: host evcspsym3.ads.northwestern.edu[129.105.238.11] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13653]: A4C6D14B815F: host evcspsym2.ads.northwestern.edu[129.105.238.6] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13612]: 71BB514B83D3: host mail-in1.borusan.com[213.194.108.237] refused to talk to me: 554 5.7.1 Global Bad Senders
Jun 9 15:12:30 mysite postfix/smtp[13609]: 6DC0A14B82DD: host evcspsym2.ads.northwestern.edu[129.105.238.6] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13639]: D12871E90214: host evcspsym3.ads.northwestern.edu[129.105.238.11] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13658]: A7C4314B8115: host evcspsym2.ads.northwestern.edu[129.105.238.6] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13613]: 70ECC14B812A: host chcspsym3.ads.northwestern.edu[129.105.238.75] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13653]: A4C6D14B815F: host chcspsym2.ads.northwestern.edu[129.105.238.70] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13609]: 6DC0A14B82DD: host chcspsym2.ads.northwestern.edu[129.105.238.70] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13605]: 7B7AF1E90476: host mx1.mediageneral.net[199.193.13.42] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13597]: 6B30014B835F: host mx1.mediageneral.net[199.193.13.42] refused to talk to me: 554 5.7.1 You are not allowed to connect.
Jun 9 15:12:30 mysite postfix/smtp[13613]: 70ECC14B812A: to=<pwebster@northwestern.edu>, relay=chcspsym1.ads.northwestern.edu[129.105.238.69]:25, delay=182821, delays=182819/0.28/1.4/0, dsn=4.7.1, status=deferred (host chcspsym1.ads.northwestern.edu[129.105.238.69] refused to talk to me: 554 5.7.1 You are not allowed to connect.)
Jun 9 15:12:30 mysite postfix/smtp[13658]: A7C4314B8115: to=<r-moretti@northwestern.edu>, relay=chcspsym3.ads.northwestern.edu[129.105.238.75]:25, delay=182599, delays=182597/1.1/0.54/0, dsn=4.7.1, status=deferred (host chcspsym3.ads.northwestern.edu[129.105.238.75] refused to talk to me: 554 5.7.1 You are not allowed to connect.)

as a follow up - is there anyway to determine which application running on my server is responsible for putting the messages in the queue to be sent?

(assuming I'm barking up the right tree)

thanks in advance.

Hi there,

Before I can answer your query I would like to know few things:

1. Which Linux distro are you using and the version.
2. I think this is your mail server. How did you configured it I mean which mailing application you use: postfix or sendmail. From the output you pasted it looks like you use postfix. Is that application you have configured for mailing. I mean sometimes what happens people configure sendmail and forgot to setup chkconfig for it and by default postfix get loaded.
3. Is your server registered with any domain name provider?
4. Another thing that I noticed in the output is that emails are getting deferred the reason could be: not a registered server or your domain got blacklisted by the site you are trying to send email to but can't say for sure until I have the above information.

Postfix 2.3.3
Redhat Enterprise Linux 5 (all packages are up to date)
I am using postfix and installed it using YUM and sendmail is disabled

3. Is your server registered with any domain name provider? - Yes

4. You make an interesting point. we are sending emails from the server from two different domains and doing an nslookup on one of the domains is yielding a different ip which is why some of the email may be getting rejected - however the domain for which the emails are getting rejected has the ip address of this server in it's spf record.

I will take a closer look there...

however I am still wondering why this server is attempting to send emails to people that we do not have in our database.

Jeff

Have a look at this discussion:

http://www.linuxquestions.org/questi...listed-881474/