LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-28-2006, 09:53 AM   #1
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Rep: Reputation: 31
mailscanner pounding dns server


Hi,

I just re-installed mailscanner and mailwatch. This machine only job is to be our mail relay. Checks/scans virus and spam and then send.

I've never configured anything like this before, and the person who originaly set this up no longer works for us, so I'm on my own.

I installed with no problems. I'm pretty sure my configuration is good, but then again, I have nothing really to base this off of except my own opionion.

I don't recall setting this machine up to check dns names of mail recipiants. Obviously this machine points to our dns servers on the network card setup. I don't recall seeing my log files roll so fast with requests from this machine like it is now.

So I think I have something not setup right. The log file /var/log/messages on our dns server filled up the entire partition over the weekend. This has never before done this, and most of it all is from our new mailscanner machine.

To try to take off some load on our main dns server, I pointed our dns to our secondary dns machine. This I assume is helping some, because now both log files /var/log/messages are filling up with messages from this one machine. Also the main dns server is still getting requests and so is the secondary. And the secondary just started getting lots of requests from the mailscanner machine. Priviously it would get one request every couple of minutes.

Can someone tell me what I may have missed on this setup? Is this really normal? I figure there has to be some sort of dns cache or something that I didn't configure?

I'm also getting about 4 requests a second on both machines, from this server.

**adding some more info**

I have about 1200 messages in my mail queue. I have a hunch that this has something to do with it. For the most part, they are junk mail going out? most of them say deferred witha message attached. Here's an example:

To: elias@we-help-u.biz
Message: {Spam?} Delivery Status Notification (Failure) Deferred: Connection refused by we-help-u.biz.
Size:6.5Kb
Tried:41227
Time:00:00:27

From the above, I got this from mailwatch, it says tried 41227. Does this mean it tried to send it 42000 times? What must I do to get this to stop trying such as this?

Last edited by neocontrol; 08-28-2006 at 10:00 AM.
 
Old 08-28-2006, 02:12 PM   #2
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
I think what's happening is your mail server tried to send Email to server that it is no longer able to reach. Usually when your Email server is not able to reach another Email server it queues the message for later delivery. Most standard configured Email systems will keep the message for up to 4 days then discard it. Recently, on most stable systems, a lot of admins are specifying to keep the message for one day then discard it.

You need to see for how many days your server is setup to keep the messages in queue then maybe lower the timeout. Before that you need to check if it is one system that it's not able to send to or all systems. Try to run 'telnet mail.yahoo.com 25' to see if it is able to connect to another mail server first. You may have a network configuration problem.
 
Old 08-28-2006, 03:14 PM   #3
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
A lot of these mails are sitting in my outbound queue are spams. Such as they have no "from:" address. I'd like to make a rule about not accepting nameless from: addresses, but I haven't had much luck with that. The MailWatch/Mailscanner software requires a from address.

I checked MailScanner.conf and conf.php and have not found anything relating to send retries. Where else can I look?
 
Old 08-28-2006, 03:23 PM   #4
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
I would recommend upgrading to spamassassin and using filters for all your users. I use a combination of spamassassin and sieve and it works well for me. I also run a script that prunses SPAM messages from all mailboxes that are 3 months or older.

What mail setup are you using?
 
Old 08-28-2006, 03:54 PM   #5
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
server 2003 w/ exchange that forwards to our relay that has mailscanner w/ spamassassian & clamav
 
Old 08-28-2006, 04:11 PM   #6
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
Another question I have is how do all of these get in my queue? Is this a users box that's infected sending out spam? How can I find out? I have a few hundred users, in differnt locations.

Perhaps it is some sort problem with having a relay out on the internet where they can pass email thru by of messing with the email headers?

Is there a way to add a blank from: address to the blacklist folder or somehow make a rule to get rid of them as mailscanner sees them?
 
Old 08-29-2006, 01:42 AM   #7
dambla
Member
 
Registered: Aug 2006
Posts: 51

Rep: Reputation: 15
edited........

Last edited by dambla; 08-29-2006 at 01:43 AM.
 
Old 08-29-2006, 07:21 AM   #8
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
It could be that you have a virus on your Windows 2003.

What mail server are you running, sendmail or postfix?
 
Old 08-29-2006, 08:05 AM   #9
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
On the mailscanner machine I'm running sendmail.
 
Old 08-30-2006, 03:31 PM   #10
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
Okay, things are pretty much undercontrol.

What was happening is that our server was getting hit with a lot of false(forged) emails, that didn't have return addresses. Likewise, most of that mail wasn't going to anywhere either.

We finaly figured out how to stop most mails without a from sender, which just about stopped all of those types of mails.

We deleted that entire outbound directory, which at its peak was at about 1200. Today I think we have about 70 new ones. Pretty good.

Those other emails are being forged as our other relay (webmail), so we can't stop it quite yet.

The problem was all of those emails sitting in queue waiting to go out. Our server kept making requests to find out where to send this stuff, but since they didn't exist, it would be put back in the rotation and tried again later.

Multiply that by 1200 and that can lead to my dns server being bombed.

This was my first time messing and working on a mail relay/server so I was definatley overwhelmed all day yesterday as I tried to pick up my learning curve.

Thanks for all the suggestions and comments, I appreciated it.

Last edited by neocontrol; 08-30-2006 at 03:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
help needed to setup a DNS server can anyone say how to configure a DNS server subha Linux - Networking 4 04-27-2012 11:50 PM
Mailscanner With Spamassassin + Clamav On The Same Server treedstang Linux - Enterprise 3 02-09-2006 10:53 PM
Do I leave primary and seconday DNS blank for a DNS Server? imsam Linux - Networking 3 10-25-2004 01:48 PM
need help to set up caching only dns server to with bogus DNS entries ullas Linux - Networking 1 10-28-2003 01:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration