Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all, this is my first post here
My Centos 6.6 server seems to send out large amount of spam: i've been got blacklisted from google and many other rbl checks, and i can't figure out where the mails are sent from.
here's a short part of my maillog
Code:
Nov 23 10:18:20 vmi13057 postfix/smtpd[28944]: warning: unknown[183.80.63.1]: SASL PLAIN authentication failed:
Nov 23 10:18:21 vmi13057 postfix/smtpd[29084]: E7140A002EF: client=207.63.205.77.rev.sfr.net[77.205.63.207]
Nov 23 10:18:22 vmi13057 postfix/cleanup[29093]: E7140A002EF: message-id=<>
Nov 23 10:18:22 vmi13057 postfix/qmgr[26950]: E7140A002EF: from=<communicationproprod@sfr.fr>, size=15586, nrcpt=1 (queue active)
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) ESMTP::10024 /var/spool/amavisd/tmp/amavis-20141123T091950-27159-lrqDpkOZ: <communicationproprod@sfr.fr> -> <info@****.com> SIZE=15586 Received: from mail.***.it ([127.0.0.1]) by localhost (mail.i99.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <info@*****.com>; Sun, 23 Nov 2014 10:18:22 +0100 (CET)
Nov 23 10:18:22 vmi13057 postfix/smtpd[29084]: disconnect from 207.63.205.77.rev.sfr.net[77.205.63.207]
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) Checking: eQrxDFf2cAdQ [77.205.63.207] <communicationproprod@sfr.fr> -> <info@*****.com>
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) Open relay? Nonlocal recips but not originating: info@*****.com
Nov 23 10:18:22 vmi13057 postfix/smtpd[29101]: connect from unknown[127.0.0.1]
Nov 23 10:18:22 vmi13057 postfix/smtpd[29101]: CCFCFA002F1: client=unknown[127.0.0.1]
Nov 23 10:18:22 vmi13057 postfix/cleanup[29093]: CCFCFA002F1: message-id=<DSNeQrxDFf2cAdQ@mail.***.it>
Nov 23 10:18:22 vmi13057 postfix/smtpd[29101]: disconnect from unknown[127.0.0.1]
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) 0fPzsX10ardu(eQrxDFf2cAdQ) SEND from <> -> <communicationproprod@sfr.fr>, ENVID=AM.0fPzsX10ardu.20141123T091822Z@mail.***.it 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CCFCFA002F1
Nov 23 10:18:22 vmi13057 amavis[27159]: (27159-07) Blocked BAD-HEADER-0 {BouncedOpenRelay,Quarantined}, [77.205.63.207]:4010 [77.205.63.207] <communicationproprod@sfr.fr> -> <info@*****.com>, mail_id: eQrxDFf2cAdQ, Hits: -, size: 15552, 407 ms
Nov 23 10:18:22 vmi13057 postfix/smtp[29097]: E7140A002EF: to=<info@*****.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.1, delays=3.6/0.04/0.01/0.41, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=27159-07, BOUNCE)
Nov 23 10:18:22 vmi13057 postfix/qmgr[26950]: CCFCFA002F1: from=<>, size=2808, nrcpt=1 (queue active)
Nov 23 10:18:22 vmi13057 postfix/qmgr[26950]: E7140A002EF: removed
Nov 23 10:18:23 vmi13057 postfix/smtp[29103]: CCFCFA002F1: to=<communicationproprod@sfr.fr>, relay=smtp-in.sfr.fr[93.17.128.25]:25, delay=0.69, delays=0.1/0.03/0.14/0.42, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73D161C00085)
Nov 23 10:18:23 vmi13057 postfix/qmgr[26950]: CCFCFA002F1: removed
...
Nov 23 09:12:47 vmi13057 postfix/smtpd[27129]: 1F816A002EF: client=outmail013.prn2.facebook.com[66.220.144.140]
Nov 23 09:12:47 vmi13057 postfix/cleanup[27138]: 1F816A002EF: message-id=<ea7333aa6e3e10573f32f7763901f1eb@async.facebook.com>
Nov 23 09:12:47 vmi13057 postfix/qmgr[26950]: 1F816A002EF: from=<notification+zj4oz9oo9=sy@facebookmail.com>, size=12424, nrcpt=1 (queue active)
Nov 23 09:12:47 vmi13057 amavis[20944]: (20944-16) ESMTP::10024 /var/spool/amavisd/tmp/amavis-20141122T232409-20944-aaNtFqTA: <notification+zj4oz9oo9=sy@facebookmail.com> -> <barbara@fuoriorario.pg.it> SIZE=12424 BODY=8BITMIME Received: from mail.****.it ([127.0.0.1]) by localhost (mail.***.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <barbara@*******.it>; Sun, 23 Nov 2014 09:12:47 +0100 (CET)
Nov 23 09:12:47 vmi13057 amavis[20944]: (20944-16) Checking: qQE3CIclhW2O [66.220.144.140] <notification+zj4oz9oo9=sy@facebookmail.com> -> <barbara@*******.it>
Nov 23 09:12:47 vmi13057 amavis[20944]: (20944-16) Open relay? Nonlocal recips but not originating: barbara@*******.it
Nov 23 09:12:47 vmi13057 clamd[1419]: SelfCheck: Database status OK.
...
Nov 23 11:22:49 vmi13057 amavis[27818]: (27818-10) Checking: XLmhKaGnfeka [195.154.80.168] <info@risparmiadem.eu> -> <info@cartagraf.com>
Nov 23 11:22:49 vmi13057 amavis[27818]: (27818-10) Open relay? Nonlocal recips but not originating: info@*******
Nov 23 11:22:51 vmi13057 postfix/smtpd[31203]: connect from unknown[127.0.0.1]
Nov 23 11:22:51 vmi13057 postfix/smtpd[31203]: 10483A002F1: client=unknown[127.0.0.1]
Nov 23 11:22:51 vmi13057 postfix/cleanup[31195]: 10483A002F1: message-id=<8ffbd2418bc456bf0fb9ea07feb476c9@risparmiadem.eu>
Nov 23 11:22:51 vmi13057 postfix/smtpd[31203]: disconnect from unknown[127.0.0.1]
Nov 23 11:22:51 vmi13057 amavis[27818]: (27818-10) XLmhKaGnfeka FWD from <info@risparmiadem.eu> -> <info@*******>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 10483A002F1
Nov 23 11:22:51 vmi13057 amavis[27818]: (27818-10) Passed SPAMMY {RelayedOpenRelay}, [195.154.80.168]:47490 [195.154.80.168] <info@risparmiadem.eu> -> <info@*******>, Message-ID: <8ffbd2418bc456bf0fb9ea07feb476c9@risparmiadem.eu>, mail_id: XLmhKaGnfeka, Hits: 8.476, size: 3995, queued_as: 10483A002F1, 1652 ms
Nov 23 11:22:51 vmi13057 postfix/smtp[31197]: 4369BA002EF: to=<info@*******>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=0.22/0.06/0.01/1.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 10483A002F1)
Nov 23 11:22:51 vmi13057 postfix/qmgr[26950]: 10483A002F1: from=<info@risparmiadem.eu>, size=4406, nrcpt=1 (queue active)
Nov 23 11:22:51 vmi13057 postfix/qmgr[26950]: 4369BA002EF: removed
Nov 23 11:22:51 vmi13057 postfix/pipe[31205]: 10483A002F1: to=<info@*******>, relay=dovecot, delay=0.56, delays=0.07/0.03/0/0.46, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 23 11:22:51 vmi13057 postfix/qmgr[26950]: 10483A002F1: removed
Nov 23 11:26:09 vmi13057 postfix/anvil[31188]: statistics: max connection rate 1/60s for (smtp:195.154.80.168) at Nov 23 11:22:49
it seems that normal mails sent from localhost report "client=localhost" instead of "unknow"
and i can't totally get rid of messages sent from=<> (this is bad, isn't it?)
and why amavis says "Open relay? Nonlocal recips but not originating: "
Please read the LQ Rules. Bumping your own thread after less than 24 hours is plain rude..this is a volunteer forum, and people answer when they can, and if they want to. So bumping your own thread does NOTHING to get you an answer faster. In fact, all you succeeded in doing is REMOVING your post from the zero reply list, making it LESS VISIBLE, and LESS LIKELY to be answered..
There are many how-to guides you can find on hardening and securing Postfix. That said, you are set to reject invalid hostnames...but where do those hostnames COME from, in your case? How many users/domains are on this email system? How many users? You may want to check out some of the postfix hardening guides: http://www.howtoforge.com/hardening-...or-ispconfig-3
That's one, and you may not have to follow all of those steps, depending on your environment.
And I'd suggest that you be sure to add/modify these two rules in main.cf:
Please read the LQ Rules. Bumping your own thread after less than 24 hours is plain rude..this is a volunteer forum, and people answer when they can, and if they want to. So bumping your own thread does NOTHING to get you an answer faster. In fact, all you succeeded in doing is REMOVING your post from the zero reply list, making it LESS VISIBLE, and LESS LIKELY to be answered..
Many open relay problems are caused by having an access table before reject_unauth_destination.
I do apologize for that, i didn't mean to.
anyway thanks for reply, i'm following the link you provided me.
on this server i have about 50 virtual domains (and about 30 apache web sites)
in my /etc/postfix/ folder i have mysql-virtual_mailbox_maps.cf instead of mysql-virtual_recipient.cf - is it the same thing?
I do apologize for that, i didn't mean to. anyway thanks for reply, i'm following the link you provided me. on this server i have about 50 virtual domains (and about 30 apache web sites)
in my /etc/postfix/ folder i have mysql-virtual_mailbox_maps.cf instead of mysql-virtual_recipient.cf - is it the same thing?
I believe so, although someone with more experience may have a different answer. Check out the postfix docs, they may be able to guide you in that respect. And is this a recent issue? How long has your postfix box been up and running? And if it IS recent...which users/domains did you add recently, and have you tried to block them, or at least look at them more closely?
Quote:
sorry for my bad english
No worries at all...your English is better than a lot of others!
I do apologize for that, i didn't mean to.
anyway thanks for reply, i'm following the link you provided me.
on this server i have about 50 virtual domains (and about 30 apache web sites)
in my /etc/postfix/ folder i have mysql-virtual_mailbox_maps.cf instead of mysql-virtual_recipient.cf - is it the same thing?
Well, i've applied some configuration changes from TB0one's link, and things seems are getting better.
however, i still can find some odd messages in my maillog like this:
# grep "52809A002F2" /var/log/maillog
Nov 24 11:09:36 vmi13057 postfix/smtpd[10654]: 52809A002F2: client=unknown[127.0.0.1]
Nov 24 11:09:36 vmi13057 postfix/cleanup[10642]: 52809A002F2: message-id=<546F1368008A92A7@smtp205.alice.it>
Nov 24 11:09:36 vmi13057 amavis[10383]: (10383-09) oVwMGA0xn0Rl FWD from <> -> <info@*******.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 52809A002F2
Nov 24 11:09:36 vmi13057 amavis[10383]: (10383-09) Passed CLEAN {RelayedOpenRelay}, [82.57.200.101]:56262 [82.57.200.101] <> -> <info@*******.com>, Message-ID: <546F1368008A92A7@smtp205.alice.it>, mail_id: oVwMGA0xn0Rl, Hits: -1.899, size: 2714, queued_as: 52809A002F2, 2354 ms
Nov 24 11:09:36 vmi13057 postfix/smtp[10644]: DDB3EA00305: to=<info@*******.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.5, delays=0.16/0/0.01/2.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 52809A002F2)
Nov 24 11:09:36 vmi13057 postfix/qmgr[22221]: 52809A002F2: from=<>, size=3123, nrcpt=1 (queue active)
Nov 24 11:09:36 vmi13057 postfix/pipe[10656]: 52809A002F2: to=<info@*******.com>, relay=dovecot, delay=0.19, delays=0.13/0/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 24 11:09:36 vmi13057 postfix/qmgr[22221]: 52809A002F2: removed
why do i receive mails from client=unknown[127.0.0.1] (instead of localhost[127.0.0.1]) and from <>
and those mails are being passed by amavis and postfix?
is it normal to have such logs?
Last edited by mattiapascal; 11-29-2014 at 03:26 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.