Hello!
I've noticed increased Postfix activity as of late and am concerned that
something is configured inadequately (i.e., open-relay). For "postconf
-n" output, please skip to the end of this message.
So, I installed pflogsumm and my concerns seem valid. I'll address each
point of concern.
Firstly, the Grand Totals are much larger than expected (especially
deferrals), given the tenancy on this server:
Grand Totals
------------
messages
13993 received
17602 delivered
0 forwarded
19486 deferred (294359 deferrals)
5439 bounced
348 rejected (1%)
0 reject warnings
0 held
0 discarded (0%)
28386k bytes received
55491k bytes delivered
690 senders
43 sending hosts/domains
11302 recipients
641 recipient hosts/domains
Also, nearly this entire next section is full of domains which we do not
host (obviously). What's interesting, too, is that we do host *Web*
services for "example.com" (sanitized for privacy reasons), but not
email (no MX records in DNS for this domain point to the server in
question -- they point to a different email provider).
Host/Domain Summary: Message Delivery
--------------------------------------
sent cnt bytes defers avg dly max dly host/domain
-------- ------- ------- ------- ------- -----------
5438 17837k 0 6.5 s 37.0 s example.com
4183 3409k 9540 1.8 h 59.6 h yahoo.com
4094 3207k 259218 9.9 h 51.5 h aol.com
783 436136 1 30.5 m 2.9 h hotmail.com
755 1021k 531 3.1 h 30.9 h gmail.com
136 106885 6803 9.8 h 51.4 h aim.com
129 104380 207 1.1 h 10.6 h ymail.com
84 69503 136 1.2 h 9.5 h yahoo.fr
77 64989 157 1.7 h 7.2 h yahoo.co.uk
Continuing on, I find that recipients at this domain have received 13814
messages in this time period. But how is this possible if we don't even
host email for the client whose domain I am calling "example.com"? The
domain is not configured in Postfix, there are no mailboxes for users at
this domain, etc.
Host/Domain Summary: Messages Received
---------------------------------------
msg cnt bytes host/domain
-------- ------- -----------
13814 13177k example.com
And not only are messages being delivered to these non-existent
mailboxes (at least according to Postfix and/or pflogsumm), but users at
this domain (again, for which we do not host email -- Web only) are also
sending mail. Note that none of these local-parts are valid; they seem
auto-generated:
Senders by message count
------------------------
146 [email protected]
144 [email protected]
140 [email protected]
124 [email protected]
110 [email protected]
110 [email protected]
108 [email protected]
106 [email protected]
102 [email protected]
96 [email protected]
94 [email protected]
82 [email protected]
[list continues for a couple thousand fake addresses]
And interspersed with legitimate entries (see first item, for example),
I find more of this garbage for the sanitized domain that I'm calling
"example.com". This goes on for over 10,000 entries:
Recipients by message count
---------------------------
59 [email protected]
41 [email protected]
40 [email protected]
34 [email protected]
34 [email protected]
31 [email protected]
28 [email protected]
26 [email protected]
25 [email protected]
24 [email protected]
24 [email protected]
[10,000+ more entries here]
And then some 1,800 messages with no size data:
Messages with no size data
--------------------------
00508E89F0 [email protected]
00555E8C05 [email protected]
00576E81B4 [email protected]
00A09E924C [email protected]
00BEEE820C [email protected]
00DBDE8CEB [email protected]
00E0AE920D [email protected]
00E55E8BB3 [email protected]
01263E6B2D [email protected]
01584E8F94 [email protected]
015C2E8984 [email protected]
02136E855B [email protected]
0253CE81C6 [email protected]
[1,800+ more entries here]
And last but not least (note the tremendous [for this system] number of
deferrals); clearly, other mail systems are black-listing this system.
I've replaced this system's IP address with XXX.XXX.XXX.XXX:
message deferral detail
-----------------------
error (total: 271035)
175000 4.7.1 : (DYN:T1
85460 5.7.1 : (RLY:B1
1446 25: Connection timed out
827 lost connection with mta5.am0.yahoodns.net[98.138.112.32]
whil...
727 lost connection with mta5.am0.yahoodns.net[98.136.217.202]
whi...
567 lost connection with mta7.am0.yahoodns.net[98.138.112.34]
whil...
509 lost connection with mta7.am0.yahoodns.net[66.196.118.37]
whil...
424 lost connection with mta6.am0.yahoodns.net[66.196.118.240]
whi...
417 lost connection with mta7.am0.yahoodns.net[98.138.112.37]
whil...
416 lost connection with mta7.am0.yahoodns.net[66.196.118.240]
whi...
407 lost connection with mta5.am0.yahoodns.net[98.138.112.34]
whil...
398 lost connection with mta7.am0.yahoodns.net[98.136.217.202]
whi...
389 lost connection with mta5.am0.yahoodns.net[66.196.118.240]
whi...
365 lost connection with mta5.am0.yahoodns.net[66.196.118.34]
whil...
347 lost connection with mta7.am0.yahoodns.net[98.136.217.203]
whi...
342 lost connection with mta6.am0.yahoodns.net[66.196.118.33]
whil...
331 lost connection with mta6.am0.yahoodns.net[98.138.112.33]
whil...
315 lost connection with mta6.am0.yahoodns.net[63.250.192.46]
whil...
268 lost connection with mta7.am0.yahoodns.net[66.196.118.34]
whil...
262 lost connection with mta6.am0.yahoodns.net[98.138.112.34]
whil...
261 lost connection with mta7.am0.yahoodns.net[98.136.216.26]
whil...
249 lost connection with mta6.am0.yahoodns.net[98.138.112.38]
whil...
247 lost connection with mta5.am0.yahoodns.net[98.138.112.33]
whil...
175 Host not found, try again
160 lost connection with mta6.am0.yahoodns.net[98.138.112.32]
whil...
143 lost connection with mta5.am0.yahoodns.net[98.138.112.38]
whil...
136 lost connection with mta6.am0.yahoodns.net[98.138.112.35]
whil...
132 lost connection with mta5.am0.yahoodns.net[98.138.112.35]
whil...
92 lost connection with
mx-eu.mail.am0.yahoodns.net[188.125.69.79...
59 lost connection with mta6.am0.yahoodns.net[66.196.118.35]
whil...
26 yahoo.co[98.139.102.145]:25: Connection timed out
23 lost connection with mta5.am0.yahoodns.net[66.196.118.37]
whil...
22 //www.verizon.net/whitelist and request removal of the
block. ...
19 lost connection with mta7.am0.yahoodns.net[63.250.192.46]
whil...
17 yahoo.co[68.180.206.184]:25: Connection timed out
14 lost connection with mta5.am0.yahoodns.net[98.136.216.25]
whil...
12 Service temporarily unavailable, try again later
10 lost connection with mta5.am0.yahoodns.net[66.196.118.33]
whil...
6 lost connection with mta6.am0.yahoodns.net[98.136.216.26]
whil...
4 lost connection with mta7.am0.yahoodns.net[63.250.192.45]
whil...
4 Too many concurrent SMTP connections; please try again later.
3 lost connection with mta7.am0.yahoodns.net[98.138.112.35]
whil...
2 gimail.com[208.73.211.249]:25: Connection timed out
2 lost connection with mta6.am0.yahoodns.net[66.196.118.37]
whil...
smtp (total: 23324)
2748 4.2.1 : (DYN:T1
2222 4.7.1 : (DYN:T1
1849 Host not found, try again
1266 25: Connection timed out
1257 //postmaster.yahoo.com/421-ts01.html (in reply to MAIL FROM
co...
1164 5.7.1 : (RLY:B1
579 //www.verizon.net/whitelist and request removal of the
block. ...
493 //www.google.com/mail/help/bulk_mail.html to review our
Bulk 4...
282
//postmaster.facebook.com/response_codes?ip=XXX.XXX.XXX.XXX#una...
181 gimal.com[208.87.34.163]:25: No route to host
181 lost connection with mx-c1.talktalk.net[62.24.202.3] while
rec...
128 tahoo.com[116.212.117.220]:25: No route to host
123 hotmaill.com[65.55.5.14]:25: Connection timed out
123 25: Connection refused
112 gotmail.com[176.74.176.178]:25: Connection refused
106 yahoo.co[68.180.206.184]:25: Connection timed out
96 yahoo.co[98.139.102.145]:25: Connection timed out
96 mail2.sify.com[124.7.36.211]:25: Connection timed out
94 hotmail.co[207.46.31.61]:25: Connection timed out
87 jmail.com[209.222.14.3]:25: Connection timed out
80 e-mail.com[204.146.168.195]:25: Connection timed out
78 gmain.com[91.237.88.233]:25: Connection timed out
70 Temporary local problem - please try later (in reply to RC...
69 hotmail.co[65.55.39.12]:25: Connection timed out
69 mail.gmail.org[38.110.30.21]:25: Connection timed out
63 2880:2110:df07:face:b00c:0:1]:25: Connection timed out
60 comast.net[202.31.187.154]:25: Connection refused
60 poop.com[69.43.160.219]:25: Connection refused
57 example.com[93.184.216.119]:25: Connection timed out
56 XXX.XXX.XXX.XXX are being rejected due to low SenderBase
Reputa...
48 5.7.1 Server busy. Please try again later
47 2800:220:6d:26bf:1447:1097:aa7]:25: Connection timed out
45 homail.com[64.4.6.100]:25: Connection timed out
45 hotmal.com[64.4.6.100]:25: Connection timed out
43 gmile.com[175.118.124.200]:25: Connection refused
42 cmail.com[176.74.176.178]:25: Connection refused
41 rocker.com[176.74.176.178]:25: Connection refused
[several thousand more of these]
More disconcerting bounce information (again, I've replaced this
server's IP address with XXX.XXX.XXX.XXX):
message bounce detail (by relay)
--------------------------------
0.0.0.0[0.0.0.0]:25 (total: 1)
1 mail for sad.com loops back to myself
126mx01.mxmail.netease.com[220.181.14.131]:25 (total: 1)
1
//mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
126mx01.mxmail.netease.com[220.181.14.132]:25 (total: 2)
1
//mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
1 User not found: [email protected] (in reply to RCPT TO command)
126mx02.mxmail.netease.com[220.181.14.134]:25 (total: 2)
1
//mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
1 User not found: [email protected] (in reply to RCPT TO command)
163mx01.mxmail.netease.com[220.181.14.135]:25 (total: 2)
2
//mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
163mx01.mxmail.netease.com[220.181.14.136]:25 (total: 1)
1
//mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
163mx01.mxmail.netease.com[220.181.14.138]:25 (total: 3)
3
//mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
[again, goes on for thousands more entries]
Here's the output of "postconf -n" (IP address replaced with
XXX.XXX.XXX.XXX for privacy reasons):
# postconf -n
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
dovecot_destination_recipient_limit = 1
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = localhost, localhost.localdomain
myhostname = our.domain.com
mynetworks = 127.0.0.0/8 [::1]/128 XXX.XXX.XXX.XXX/32
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
policy-spf_time_limit = 3600s
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps =
mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
mysql:/etc/postfix/mysql-virtual_client.cf, reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_sender_login_mismatch, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, check_policy_service
unix:private/policy-spf
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access
mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_tls_cert_file = /root/ssl/our.domain.com.crt
smtpd_tls_key_file = /root/ssl/our.domain.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
Thanks for any advice here!
-Ben
