I have created an Ansible playbook to check queue :) which i run when needed. Now lot less but with the older version it was more useful.
Remo > Il giorno 16 ago 2020, alle ore 14:55, Chas Hockenbarger <chash...@gmail.com> > ha scritto: > > > Thanks Eric and Remo, I appreciate the assistance. > > I’d forgotten about the simscan setting for the cdb to up the logging, it’s > been a LONG time since I’ve had to do that. > > My queue is empty. Nothing clogged up, it’s not residual stuff; that said, > I’m watching it pretty closely right now. > > No .qmail files. I logged into the db and looked – the forward is all in the > database, and I don’t have any .qmail files that I can find outside of the > skel folder. My users aren’t ‘real’ users on the system, they’re all virtual > users. > > Part of the problem is that the bouncing from Gmail has happened to different > users at different times, and at other times it doesn’t happen to them. It > is so very bizarre. Hopefully with an increased logging level I can find > enough to trace this down to its actual origins. > > From: Eric Broch [mailto:ebr...@whitehorsetc.com] > Sent: Sunday, August 16, 2020 4:13 PM > To: qmailtoaster-list@qmailtoaster.com > Subject: Re: [qmailtoaster] Distressing strange behavior > > Yes forwards can be in a .qmail file or in the vpopmail database. > > So, the bounces occurring presently, what's the originating account? > > Is there anything in your queue (# qmailctl queue)? > > > > On 8/16/2020 2:46 PM, Charles Hockenbarger wrote: > As I understand the forwards setup in qmailadmin those are in the database, > right? > > The address that was compromised hasn't sent any email since the password > change. > > I hadn't thought about looking at qmail-inject. I'll dig into watching that > part of the process. > > Get TypeApp for Android > On Aug 16, 2020, at 3:14 PM, Eric Broch <ebr...@whitehorsetc.com> wrote: > How do you have your forwards set up? > > Is there any mail in your queue? > > If someone hacked an account on your server with forwards to gmail accounts > they aren't limited to just these forwards, they also have the option in the > email client to add gmail accounts in the "To:" field of the email they're > sending, thus bounces from gmail accounts that aren't in your forwards file. > > Also, qmail-inject puts mail in the queue and you'll see it in the send log. > > > > On 8/16/2020 10:05 AM, Chas Hockenbarger wrote: > I'm hoping someone has encountered this weird behavior or something like it > before and can point me down a path, because all my research has turned up > nothing so far. > > > I had an email account recently get breached due to a re-used password, and > that account was used to send a bunch of spam out from a server I help > manage. We changed the password on the account as soon as we found it > happening and the outbound flood stopped. > > > Shortly after that, however, I started seeing a very, very strange behavior. > Sometimes, and I haven’t yet been able to identify the trigger or pattern, > when users on this server send email to a forward that contains around 50 or > so email addresses (they use it like a private distribution list) they will > get anywhere from 1-10 bounces from Gmail. Not every email sent to the > forward has this happen, and not even every email from a particular user. > > > The outbound spamming caused the server’s reputation to go in the tank with > Google, and if it weren’t for that, I wouldn’t know this was happening, > because they get the bounces from Gmail accounts that absolutely ARE NOT in > the forward or part of the email chain AT ALL. > > > I’m kind of freaking out here because while I haven’t found a breach of the > actual server / OS, this feels like someone has been able to inject something > somewhere into my server that I simply can’t find. It is especially > troubling because a user who is not on this domain, but is part of the group > and therefore uses the forward from time to time, sent something to the > forward today and got Gmail bounces. > > > I don’t see anything in the send log that shows the server even trying to > send to Gmail, which only adds to the ghost story. > > > Any ideas, paths to go down, anything would be greatly appreciated here. I’m > about to just rebuild the whole thing from scratch on a new VM, but if I’m > overlooking something simple don’t want to put the users through that. > > > Thanks in advance. > > > Chas
--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com