here are some steps to do 1) enable more debugs :allow,SIMSCAN_DEBUG=“5” to /etc/tcprules.d/tcp.smtp then make sure you run the qmailctl cdb Reloaded /etc/tcprules.d/tcp.smtp Reloaded /var/qmail/control/badmimetypes.cdb Reloaded /var/qmail/control/badloadertypes.cdb Reloaded /var/qmail/control/simversions.cdb Reloaded /var/qmail/control/simcontrol.cdb
I would also check if you have something in the queue qmHandle -L will show if you do. I would probably remove what’s not valide with the qmHandle or all with qmHandle -D :) careful since that will delete all in the queue so some valid msg will be erased. then once you enable the logs I have mine in the diff folder under the /var/log/qmail and I normally check both the submission and the send here is what mine looks like: # ls -al total 28 drwxr-x--- 7 qmaill qmail 4096 Sep 14 2019 . drwxr-xr-x. 23 root root 4096 Aug 16 03:26 .. drwxr-x--- 2 qmaill qmail 4096 Aug 15 10:38 send drwxr-x--- 2 qmaill qmail 4096 Aug 15 21:01 smtp drwxr-x--- 2 qmaill qmail 4096 Aug 16 10:02 smtps drwxr-x--- 2 qmaill qmail 4096 Aug 5 05:44 submission drwx------ 2 qmaill qmail 4096 Aug 5 05:44 vpopmaild so less, tail you pick which one to use. I have also used multitail which makes life much easier ;) Remo > On Aug 16, 2020, at 1:46 PM, Charles Hockenbarger <[email protected]> wrote: > > As I understand the forwards setup in qmailadmin those are in the database, > right? > > The address that was compromised hasn't sent any email since the password > change. > > I hadn't thought about looking at qmail-inject. I'll dig into watching that > part of the process. > > Get TypeApp for Android <http://www.typeapp.com/r?b=15986> > On Aug 16, 2020, at 3:14 PM, Eric Broch <[email protected] > <mailto:[email protected]>> wrote: > How do you have your forwards set up? > > Is there any mail in your queue? > > If someone hacked an account on your server with forwards to gmail accounts > they aren't limited to just these forwards, they also have the option in the > email client to add gmail accounts in the "To:" field of the email they're > sending, thus bounces from gmail accounts that aren't in your forwards file. > > Also, qmail-inject puts mail in the queue and you'll see it in the send log. > > > > On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: >> I'm hoping someone has encountered this weird behavior or something like it >> before and can point me down a path, because all my research has turned up >> nothing so far. >> >> >> I had an email account recently get breached due to a re-used password, and >> that account was used to send a bunch of spam out from a server I help >> manage. We changed the password on the account as soon as we found it >> happening and the outbound flood stopped. >> >> >> Shortly after that, however, I started seeing a very, very strange behavior. >> Sometimes, and I haven’t yet been able to identify the trigger or pattern, >> when users on this server send email to a forward that contains around 50 or >> so email addresses (they use it like a private distribution list) they will >> get anywhere from 1-10 bounces from Gmail. Not every email sent to the >> forward has this happen, and not even every email from a particular user. >> >> >> The outbound spamming caused the server’s reputation to go in the tank with >> Google, and if it weren’t for that, I wouldn’t know this was happening, >> because they get the bounces from Gmail accounts that absolutely ARE NOT in >> the forward or part of the email chain AT ALL. >> >> >> I’m kind of freaking out here because while I haven’t found a breach of the >> actual server / OS, this feels like someone has been able to inject >> something somewhere into my server that I simply can’t find. It is >> especially troubling because a user who is not on this domain, but is part >> of the group and therefore uses the forward from time to time, sent >> something to the forward today and got Gmail bounces. >> >> >> I don’t see anything in the send log that shows the server even trying to >> send to Gmail, which only adds to the ghost story. >> >> >> Any ideas, paths to go down, anything would be greatly appreciated here. >> I’m about to just rebuild the whole thing from scratch on a new VM, but if >> I’m overlooking something simple don’t want to put the users through that. >> >> >> Thanks in advance. >> >> >> Chas
