Yes, somewhere.net is the name I used for my domain.

Sent from Mail for Windows 10

From: Eric Broch
Sent: Wednesday, December 11, 2019 4:02 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Got the willys with submission log entries

Also, is there a user on your system someb...@somewhere.net?
On 12/11/2019 3:00 PM, Eric Broch wrote:
can you search your logs (send, submission, and mailllog) for 
someb...@somewhere.net
On 12/11/2019 1:39 PM, Boatner Howell wrote:
[root@NewMail ~]# rpm -qa |grep qmail
qmail-1.03-2.2.1.qt.el7.x86_64
 
[root@NewMail ~]# cat /var/qmail/supervise/submission/run
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export REQUIRE_AUTH=1
 
exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1
[root@NewMail ~]#
 
Thanks.
 
 
Sent from Mail for Windows 10
 
From: Eric Broch
Sent: Wednesday, December 11, 2019 8:07 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] Got the willys with submission log entries
 
What version of qmail?
# rpm -qa | grep qmail
what's in your run file
# cat /var/qmail/supervise/submission/run
On 12/10/2019 12:24 PM, bhow...@teamft.com wrote:
I have checked out authentication with my submission port 587 and I must 
authenticate before sending. However, I have entries in the log from a “bad guy 
IP address” which say “sender accepted” and its giving me heartburn.
 
2019-12-10 02:43:04.376530500 CHKUSER accepted sender: from 
<someb...@somewhere.net::> remote <4vFoWf3:unknown:64.225.41.10> rcpt <> : 
sender accepted
2019-12-10 03:04:09.269688500 CHKUSER accepted sender: from 
<anotherb...@somewhere.net::> remote <3aJfz4D7:unknown:64.225.41.10> rcpt <> : 
sender accepted
 
(Note: the IP 64.255.41.10 is the real IP of the bad guy)
 
There are no corresponding lines which say, “client allowed to relay”
 
Note after the from address, there are two colons: <someb...@irtc.net::> . On 
all legitimate entries, there are no such double colons.
 
How did this guy get that entry into my submission logs without authenticating? 
 Is this something I need to worry about?
 
 
Any input would be really appreciated  
 
Boatner Howell
Foundaton Technologies, LLC
 






 


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


Spam
Phish/Fraud
Not spam
Forget previous vote

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to