Postfix problems, wont send email

FYI... I posted this also in the general foums... before I knew I could post hear

VirtualMin Pro on Redhat Enterprise Linux 6

A few days ago it looks like I had a PHP form attack to send spam emails. I have since disabled the script and domain - so it looks like no worries there. Although I still see the bouces/delays/deferred responses in the queue...see below.

I am 98% sure that they did not get SSH in, as I use a key for access.

However... I am getting the error:

/usr/bin/postqueue -p failed : sh: /usr/bin/postqueue: No such file or directory

When i click on the "Mail Queue" under the Postfix server in Webmin - it also shows 0 emails in queue below the icon. However, when I run a "mailq" prompt there is mail in the queue.

Inbound emails hit the boxes fine, and we are able to POP/IMAP them out...be any email sent on the server, to local or outside domains, just sits in the queue. Or at least looks like it does.

I dont know how/why/if they were able to change this. Any help/directions would be appreciated.

I found this in my logwatch

1 Mar 5 15:34:37 host postfix/smtpd[13099]: improper command pipelining after NOOP from unknown[204.45.119.139]

Thanks!

--Drew

Status: 
Active

Comments

Howdy -- the postqueue command would normally be in /usr/sbin -- what does this command show:

/usr/sbin/postqueue -p | tail

Also, if you restart Postfix with this command:

/etc/init.d/postfix restart

Do you see any errors in /var/log/maillog?

Lastly, in Virtualmin, if you go into System Settings -> Re-Check Config, does it detect any problems?

/usr/sbin/postqueue -p | tail

[root@host ~]# /usr/sbin/postqueue -p | tail

AC4741341653     2333 Thu Mar 15 11:37:51  root@p1tt.com
(Host or domain name not found. Name service error for name=hotmai.com type=MX: Host not found, try again)
                                         oulondun000@hotmai.com

A5A611341531     2413 Thu Mar 15 11:16:18  root@p1tt.com
(delivery temporarily suspended: host mta5.am0.yahoodns.net[66.94.237.64] refused to talk to me: 421 4.7.1 [TS03] All messages from 50.17.249.1 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
                                         wo284494479@yahoo.com

-- 2558 Kbytes in 430 Requests.

/etc/init.d/postfix restart log after is

Mar 15 12:28:05 host postfix/postfix-script[8655]: stopping the Postfix mail system
Mar 15 12:28:05 host postfix/master[7982]: terminating on signal 15
Mar 15 12:28:05 host postfix/postfix-script[8727]: starting the Postfix mail system
Mar 15 12:28:05 host postfix/master[8728]: daemon started -- version 2.6.6, configuration /etc/postfix
Mar 15 12:28:05 host postfix/qmgr[8731]: 5F2AE1341814: from=<root@p1tt.com>, size=5512, nrcpt=10 (queue active)

System Settings -> Re-Check Config = No errors.

Also, this is a STOCK install from a Clean RH6... I never made any changes outside of VM/WM and have never touched the Postfix config

Okay, so it looks like the issue there may be that there's quite a few emails in your mail queue, possibly left over from when you had that spam problem -- and that it's preventing new, legitimate email from sending.

I think the key there will be to clear out your queue, removing spam messages from it.

One of the easiest ways to do that is from Webmin's Postfix Mail Queue option, but that seems to be blank for you.

One thing you may want to do is go into Webmin -> Servers -> Postfix -> Module Config -> System Config, and check what "Full path to Postfix queue management command (`postqueue')" is set to, making sure that path is correct.

Webmin -> Servers -> Postfix -> Module Config -> System Config Full path to Postfix queue management command is /usr/sbin/postqueue

Cleared the queue and more and more just keep coming.

Mail tail....

TS03] All messages from 50.17.249.1 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Mar 15 12:49:50 host postfix/smtp[12703]: F15CC134130B: host mta6.am0.yahoodns.net[66.94.236.34] refused to talk to me: 421 4.7.1 [TS03] All messages from 50.17.249.1 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Mar 15 12:49:50 host postfix/smtp[12703]: F15CC134130B: host mta7.am0.yahoodns.net[98.139.175.225] refused to talk to me: 421 4.7.1 [TS03] All messages from 50.17.249.1 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Mar 15 12:49:50 host postfix/smtp[12703]: F15CC134130B: to=<E-mailwmh04910@yahoo.com>, relay=mta7.am0.yahoodns.net[66.94.238.147]:25, delay=4.1, delays=3.5/0/0.57/0, dsn=4.7.1, status=deferred (host mta7.am0.yahoodns.net[66.94.238.147] refused to talk to me: 421 4.7.1 [TS03] All messages from 50.17.249.1 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
Mar 15 12:49:50 host postfix/smtp[12703]: F15CC134130B: to=<xiayu1029@yahoo.com>, relay=mta7.am0.yahoodns.net[66.94.238.147]:25, delay=4.1, delays=3.5/0/0.57/0, dsn=4.7.1, status=deferred (host mta7.am0.yahoodns.net[66.94.238.147] refused to talk to me: 421 4.7.1 [TS03] All messages from 50.17.249.1 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
Mar 15 12:49:51 host postfix/smtpd[12809]: disconnect from gate.forward.smtp.ord1b.emailsrvr.com[50.57.0.7]
Mar 15 12:49:51 host postfix/smtp[12699]: F15CC134130B: to=<nangong@huatone.com>, relay=none, delay=4.8, delays=3.5/0/1.3/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=huatone.com type=AAAA: Host found but no data record of requested type)
Mar 15 12:49:51 host postfix/smtp[12987]: F15CC134130B: to=<8248jianwei358@163.com>, relay=163mx03.mxmail.netease.com[220.181.12.92]:25, delay=5, delays=3.5/0/0.8/0.75, dsn=5.0.0, status=bounced (host 163mx03.mxmail.netease.com[220.181.12.92] said: 554 DT:SPM mx46, XMCowGDJ40axHWJP9IpLCQ--.530S2 1331830194 http://mail.163.com/help/help_spam_16.htm?ip=50.17.249.1&hostid=mx46&time=1331830194 (in reply to end of DATA command))
Mar 15 12:49:51 host postfix/smtp[12987]: F15CC134130B: to=<ylkzxgood@163.com>, relay=163mx03.mxmail.netease.com[220.181.12.92]:25, delay=5, delays=3.5/0/0.8/0.75, dsn=5.0.0, status=bounced (host 163mx03.mxmail.netease.com[220.181.12.92] said: 554 DT:SPM mx46, XMCowGDJ40axHWJP9IpLCQ--.530S2 1331830194 http://mail.163.com/help/help_spam_16.htm?ip=50.17.249.1&hostid=mx46&time=1331830194 (in reply to end of DATA command))
Mar 15 12:49:51 host postfix/smtp[12987]: F15CC134130B: to=<zyn01638574@163.com>, relay=163mx03.mxmail.netease.com[220.181.12.92]:25, delay=5, delays=3.5/0/0.8/0.75, dsn=5.0.0, status=bounced (host 163mx03.mxmail.netease.com[220.181.12.92] said: 554 DT:SPM mx46, XMCowGDJ40axHWJP9IpLCQ--.530S2 1331830194 http://mail.163.com/help/help_spam_16.htm?ip=50.17.249.1&hostid=mx46&time=1331830194 (in reply to end of DATA command))
Mar 15 12:49:51 host postfix/smtpd[12813]: connect from unknown[163.125.163.44]
Mar 15 12:49:52 host postfix/smtp[12983]: F15CC134130B: to=<ingwine@126.com>, relay=126mx01.mxmail.netease.com[220.181.15.191]:25, delay=5.9, delays=3.5/0/1.1/1.3, dsn=5.0.0, status=bounced (host 126mx01.mxmail.netease.com[220.181.15.191] said: 550 User not found: ingwine@126.com (in reply to RCPT TO command))
Mar 15 12:49:53 host postfix/smtp[12697]: F15CC134130B: to=<gus_viseur@sohu.com>, relay=sohumx1.sohu.com[61.135.132.110]:25, delay=6.7, delays=3.5/0/2.6/0.64, dsn=5.1.1, status=bounced (host sohumx1.sohu.com[61.135.132.110] said: 550 5.1.1 <gus_viseur@sohu.com>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command))
Mar 15 12:49:55 host postfix/smtp[12701]: 0BA371341362: to=<info@apfct.com>, relay=apfct.com[219.84.174.92]:25, delay=32, delays=3.6/0/28/0.55, dsn=5.7.1, status=bounced (host apfct.com[219.84.174.92] said: 550 5.7.1 Relaying to <info@apfct.com> denied (authentication required) (in reply to RCPT TO command))
Mar 15 12:49:56 host postfix/smtpd[12813]: EE9CA134130C: client=unknown[163.125.163.44], sasl_method=LOGIN, sasl_username=root

Ah, if you're still seeing new emails flowing into the queue, that may suggest that the spammers are finding a new way into your system in order to send their spam.

What you would want to do is view the email headers of one of the spam messages in your queue, and use that to determine as best you can the source of said spam.

Using that, you should be able to determine whether the spam is being generated from an application on your server, or whether an email account has been compromised.

That is, the spam is likely either due to a security breach in a web app, or a compromised email account -- and the goal is to determine which, so that you're able to correct it.

I think I sort of got it... they (ISP) were sending bounces to an email address that wasn't on the server... hence a bounce back to them... 500 bounces messages back I guess look like spam, which caused them to give the no connect message. I looked at the bounces that also included the original email... and they are definitely forged.

I don't know if right, but I temp created the email address on my server and it is just filling up with bounces.

Will watch over the next few days.....

It still worries me that my QUEUE is not accessible from the Postfix server in Webmin... any ideas for that?

Oh nuts, I may have led you astray.

In Webmin -> Servers -> Postfix -> Module Config -> System Config, what you'd actually want to look at is "Mail queue display command".

What is that currently set to?

"Mail queue display command" == /usr/bin/postqueue -p

Also screenshot attached....

Aha! There's the problem. And we may need to tweak that default, that appears to be set incorrectly on a fresh CentOS 6 install.

Try changing that to this instead:

/usr/sbin/postqueue -p

And see if the Mail Queue area works for you now.

That did it... LOL. I can see the Queue.

Now I am not worried that they "got" in... and after seeing that queue and other digging, it looks like they brute attacked someones SMTP username and password. Changing that password and putting Postfix on fail2ban

Thanks... will chat back if I need something else.