something wrong with postfix server

14 posts / 0 new
Last post
#1 Tue, 04/09/2013 - 08:52
adrianmak

something wrong with postfix server

My client sudden reported that he could not send and receive email.

Then I checked the postfix process is running and I try to telnet localhost 25 for a full smtp test and got the same problem on this comment I found so far http://www.virtualmin.com/node/21459#comment-96935

and I tried to stop and start postfix daemon and it stucked at Staring postfix. The I tried to reboot the server, the postfix could not start I listed daemon process with ps -ef

show somthing strange

root      2821  1539  0 21:38 ?        00:00:00 /bin/sh /etc/rc3.d/S80postfix start
root      2831  2821  0 21:38 ?        00:00:00 /bin/sh /usr/libexec/postfix/postfix-script start
root      2838  2831  0 21:38 ?        00:00:00 /bin/sh /usr/libexec/postfix/postfix-script check-fatal
postfix   2864  2838  0 21:38 ?        00:00:01 /usr/sbin/postsuper

and I from something error on maillog

host2 postfix/postfix-script[25293]: fatal: Postfix integrity check failed!
Tue, 04/09/2013 - 09:04
andreychek

Howdy,

What distro/version are you using?

Also, are you using a VPS, or dedicated server? If a VPS, what type of VPS?

And if you look in your email logs, either /var/log/maillog or /var/log/mail.log when starting up and connecting to Postfix, do you see any errors?

-Eric

Tue, 04/09/2013 - 09:41 (Reply to #2)
adrianmak

centos 5.5 dedicated server

I just read this comment https://www.virtualmin.com/node/19621#comment-88500

and I did execute this command postfix set-permissions

It seems this process take quite a bit of time to finish.

Tue, 04/09/2013 - 16:31
adrianmak

the postfix set-permissions is finished

The postfix could start but when I test smtp locally in ssh, I send a message to myself but still not received

[root@host]# telnet localhost 25
Trying MYIP...
Connected to host.
Escape character is '^]'.
220 host ESMTP Postfix
HELO host
250 host
MAIL FROM:<test@mydomain.com>
250 2.1.0 Ok
RCPT TO:<test@mydomain.com>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: test
asdadasd.
.
250 2.0.0 Ok: queued as 1CA36160ADE
quit
221 2.0.0 Bye
Connection closed by foreign host.
Tue, 04/09/2013 - 16:29
adrianmak

I ps -ef the postfix process

there are quite a many of these processes postfix 429 4106 0 05:06 ? 00:00:00 error -n retry -t unix -u postfix 1165 4106 0 05:16 ? 00:00:00 bounce -z -n defer -t unix -u

Tue, 04/09/2013 - 17:02
adrianmak

I searched a post on google http://www.howtoforge.com/forums/archive/index.php/t-43821.html

the guy said extacly the issue I'm suffering from.

I checked my smtp server is not open relay

I check whether smtp server ip is blacklisted with the site mentioned in the post http://mxtoolbox.com/blacklists.aspx

My smtp ip all passed except BARRACUDA

http://postimg.org/image/4g666crxv/

Wed, 04/10/2013 - 01:39
adrianmak

There is one more problem is I could not open the webmin postfix config page. The web browser status just showing transferring data from xx.xx.xx.xx The is no such problem on other webmin page.

Wed, 04/10/2013 - 08:01
andreychek

Howdy,

If you run this command, what output do you receive:

mailq | tail -1

That'll show how many email messages are in your queue.

Also, what does the command "uptime" show?

-Eric

Wed, 04/10/2013 - 20:00 (Reply to #8)
adrianmak

I could not show the status right now. I stopped postfix yesterday. Now I started postfix. More than 10 mins of stucking at "Starting postfix" prompt.

I've no idea what wrong with it.

Wed, 04/10/2013 - 20:29 (Reply to #9)
adrianmak

postfix is started finally~~~~~~startup time required nearly 30mins -_-|||

mailq | tail -1 no output

uptime of an instance of execution time

09:21:12 up 47 min, 2 users, load average: 35.04, 15.54, 6.72

At the same time I tail -f /var/log/maillog

There are lot of message log filling out the log file here are some of them

Apr 11 09:23:53 host2 postfix/qmgr[5498]: 699CE63EC6E7: from=<>, size=8227, nrcpt=1 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 67D7F64B00EB: from=<lpmyj@yahoo.com.tw>, size=3364, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 63E4E63FA7CB: from=<uvnhbl@yahoo.com.tw>, size=3914, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 625FE64A9581: from=<lpmyj@yahoo.com.tw>, size=4406, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6B01A62DB8C5: from=<uvnhbl@yahoo.com.tw>, size=3534, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/smtp[6526]: 6860D64D978A: host filter4.mail.xuite.net[210.242.46.179] said: 452 Too many recipients received this hour from Host: Unknown (IP: 58.64.134.102) (in reply to RCPT TO command)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 641B064BBB32: from=<ndwsfzwl@yahoo.com.tw>, size=4284, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6919C52DAC1A: from=<uvnhbl@yahoo.com.tw>, size=3941, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6D772648BA0B: from=<uvnhbl@yahoo.com.tw>, size=3881, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6613B651C3EA: from=<ndwsfzwl@yahoo.com.tw>, size=3401, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6641164D8B85: from=<ndwsfzwl@yahoo.com.tw>, size=4440, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6A51C46D8F00: from=<ndwsfzwl@yahoo.com.tw>, size=3321, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6357364D8820: from=<ndwsfzwl@yahoo.com.tw>, size=4236, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 665606426595: from=<uvnhbl@yahoo.com.tw>, size=3901, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 622DB64D0FFE: from=<ndwsfzwl@yahoo.com.tw>, size=3404, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 68DA4645673F: from=<uvnhbl@yahoo.com.tw>, size=4491, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 65CAA64DBD39: from=<uvnhbl@yahoo.com.tw>, size=3893, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6F449F22912: removed
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 699C5638820F: from=<lpmyj@yahoo.com.tw>, size=3987, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6F5B064A7435: from=<ndwsfzwl@yahoo.com.tw>, size=3908, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6A04D63A8C9C: from=<lpmyj@yahoo.com.tw>, size=3966, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6209E64BC52C: from=<ndwsfzwl@yahoo.com.tw>, size=2881, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 68D7A6503ED3: from=<ndwsfzwl@yahoo.com.tw>, size=4017, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6CA966490A4A: from=<ndwsfzwl@yahoo.com.tw>, size=4348, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6B7B36497884: from=<lpmyj@yahoo.com.tw>, size=4273, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6BB8664B85DF: from=<ndwsfzwl@yahoo.com.tw>, size=3900, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6DDE8648178B: from=<uvnhbl@yahoo.com.tw>, size=3458, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 64E1B64D3C2C: from=<ndwsfzwl@yahoo.com.tw>, size=3263, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6952042F9574: from=<lpmyj@yahoo.com.tw>, size=3835, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66DBD64EC3C4: from=<ndwsfzwl@yahoo.com.tw>, size=4420, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66A6246DACD1: from=<uvnhbl@yahoo.com.tw>, size=4247, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66FD66499F9A: from=<uvnhbl@yahoo.com.tw>, size=3952, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6FFF2640F966: from=<>, size=6303, nrcpt=1 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6417364882A2: from=<ndwsfzwl@yahoo.com.tw>, size=2581, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 628FE6531B2D: from=<ndwsfzwl@yahoo.com.tw>, size=4331, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6A71C64BE58F: from=<ndwsfzwl@yahoo.com.tw>, size=3180, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6FF1E63453D2: from=<lpmyj@yahoo.com.tw>, size=3309, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/error[6060]: 68671649374C: to=<eoody@ms1.hinet.net>, relay=none, delay=507402, delays=507376/23/0/3.1, dsn=4.0.0, status=deferred (delivery temporarily suspended: host msx-smtp4.hinet.net[168.95.5.36] refused to talk to me: 421 Too many SMTP sessions for this host)
Apr 11 09:23:54 host2 postfix/bounce[6514]: 67D43646DB5F: sender non-delivery notification: 0167A633998A
Apr 11 09:23:54 host2 postfix/error[6152]: 6559F64746E7: to=<lovemicky922@yahoo.com.tw>, relay=none, delay=521315, delays=521057/237/0/21, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta-v4.mail.vip.tp2.yahoo.com[203.188.197.111] refused to talk to me: 421 4.7.1 [TS03] All messages from 58.64.134.102 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
Wed, 04/10/2013 - 20:34 (Reply to #10)
adrianmak

postfix is started finally~~~~~~startup time required nearly 30mins -_-|||

mailq | tail -1 no output

uptime of an instance of execution time

09:21:12 up 47 min, 2 users, load average: 35.04, 15.54, 6.72

At the same time I tail -f /var/log/maillog

There are lot of message log filling out the log file here are some of them

Apr 11 09:23:53 host2 postfix/qmgr[5498]: 699CE63EC6E7: from=<>, size=8227, nrcpt=1 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 67D7F64B00EB: from=<lpmyj@yahoo.com.tw>, size=3364, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 63E4E63FA7CB: from=<uvnhbl@yahoo.com.tw>, size=3914, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 625FE64A9581: from=<lpmyj@yahoo.com.tw>, size=4406, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6B01A62DB8C5: from=<uvnhbl@yahoo.com.tw>, size=3534, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/smtp[6526]: 6860D64D978A: host filter4.mail.xuite.net[210.242.46.179] said: 452 Too many recipients received this hour from Host: Unknown (IP: 58.64.134.102) (in reply to RCPT TO command)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 641B064BBB32: from=<ndwsfzwl@yahoo.com.tw>, size=4284, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6919C52DAC1A: from=<uvnhbl@yahoo.com.tw>, size=3941, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6D772648BA0B: from=<uvnhbl@yahoo.com.tw>, size=3881, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6613B651C3EA: from=<ndwsfzwl@yahoo.com.tw>, size=3401, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6641164D8B85: from=<ndwsfzwl@yahoo.com.tw>, size=4440, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6A51C46D8F00: from=<ndwsfzwl@yahoo.com.tw>, size=3321, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6357364D8820: from=<ndwsfzwl@yahoo.com.tw>, size=4236, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 665606426595: from=<uvnhbl@yahoo.com.tw>, size=3901, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 622DB64D0FFE: from=<ndwsfzwl@yahoo.com.tw>, size=3404, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 68DA4645673F: from=<uvnhbl@yahoo.com.tw>, size=4491, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 65CAA64DBD39: from=<uvnhbl@yahoo.com.tw>, size=3893, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6F449F22912: removed
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 699C5638820F: from=<lpmyj@yahoo.com.tw>, size=3987, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6F5B064A7435: from=<ndwsfzwl@yahoo.com.tw>, size=3908, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6A04D63A8C9C: from=<lpmyj@yahoo.com.tw>, size=3966, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6209E64BC52C: from=<ndwsfzwl@yahoo.com.tw>, size=2881, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 68D7A6503ED3: from=<ndwsfzwl@yahoo.com.tw>, size=4017, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6CA966490A4A: from=<ndwsfzwl@yahoo.com.tw>, size=4348, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6B7B36497884: from=<lpmyj@yahoo.com.tw>, size=4273, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6BB8664B85DF: from=<ndwsfzwl@yahoo.com.tw>, size=3900, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6DDE8648178B: from=<uvnhbl@yahoo.com.tw>, size=3458, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 64E1B64D3C2C: from=<ndwsfzwl@yahoo.com.tw>, size=3263, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6952042F9574: from=<lpmyj@yahoo.com.tw>, size=3835, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66DBD64EC3C4: from=<ndwsfzwl@yahoo.com.tw>, size=4420, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66A6246DACD1: from=<uvnhbl@yahoo.com.tw>, size=4247, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66FD66499F9A: from=<uvnhbl@yahoo.com.tw>, size=3952, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6FFF2640F966: from=<>, size=6303, nrcpt=1 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6417364882A2: from=<ndwsfzwl@yahoo.com.tw>, size=2581, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 628FE6531B2D: from=<ndwsfzwl@yahoo.com.tw>, size=4331, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6A71C64BE58F: from=<ndwsfzwl@yahoo.com.tw>, size=3180, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6FF1E63453D2: from=<lpmyj@yahoo.com.tw>, size=3309, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/error[6060]: 68671649374C: to=<eoody@ms1.hinet.net>, relay=none, delay=507402, delays=507376/23/0/3.1, dsn=4.0.0, status=deferred (delivery temporarily suspended: host msx-smtp4.hinet.net[168.95.5.36] refused to talk to me: 421 Too many SMTP sessions for this host)
Apr 11 09:23:54 host2 postfix/bounce[6514]: 67D43646DB5F: sender non-delivery notification: 0167A633998A
Apr 11 09:23:54 host2 postfix/error[6152]: 6559F64746E7: to=<lovemicky922@yahoo.com.tw>, relay=none, delay=521315, delays=521057/237/0/21, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta-v4.mail.vip.tp2.yahoo.com[203.188.197.111] refused to talk to me: 421 4.7.1 [TS03] All messages from 58.64.134.102 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
Apr 11 09:26:29 host2 postfix/smtp[6685]: connect to msx-smtp4.hinet.net[168.95.5.35]:25: Connection timed out
Apr 11 09:26:36 host2 postfix/qmgr[5498]: 67FD064885EF: removed
Apr 11 09:26:36 host2 postfix/qmgr[5498]: 66C15648577B: from=<uvnhbl@yahoo.com.tw>, status=expired, returned to sender
Apr 11 09:26:36 host2 postfix/qmgr[5498]: 60B4E6472C2A: from=<uvnhbl@yahoo.com.tw>, status=expired, returned to sender
Apr 11 09:26:30 host2 postfix/smtp[6694]: connect to msx-smtp4.hinet.net[168.95.5.36]:25: Connection timed out
Apr 11 09:26:31 host2 postfix/smtp[6695]: connect to msx-smtp6.hinet.net[168.95.5.52]:25: Connection timed out
Apr 11 09:26:36 host2 postfix/smtp[5989]: connect to msx-smtp7.hinet.net[168.95.5.76]:25: Connection timed out
Apr 11 09:26:36 host2 postfix/qmgr[5498]: 6A974649D353: from=<lpmyj@yahoo.com.tw>, size=3959, nrcpt=11 (queue active)
Apr 11 09:26:36 host2 postfix/error[6152]: 6AD4364A9D50: to=<money169@kimo.com>, relay=none, delay=498787, delays=498778/7.4/0/1.8, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.1 [TS03] All messages from 58.64.134.102 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)

Where are the messages generated from ? It could fill up the maillog in hundred of MB size in short period of time.

Thu, 04/11/2013 - 00:20
adrianmak

I executed command postsuper -d ALL to kill all mail queues

During the duration of process the command, I read all post related postfix, mail in this forum and found this post http://www.virtualmin.com/node/23328

my smtp server issue is closed to the airshock described.

After spending a few hours, command postsuper -d ALL finished and gave me 1603623 messages removed. Now I could ensure my server problem is same as airshock.

I use postcat to open one of message queue id

*** ENVELOPE RECORDS active/00A61654E77B ***
message_size:            3914            1665              11               0            3914
message_arrival_time: Sat Apr  6 13:52:11 2013
create_time: Sat Apr  6 13:52:13 2013
named_attribute: log_ident=00A61654E77B
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=demo
sender: ndwsfzwl@yahoo.com.tw
named_attribute: log_client_name=mdh-14-177.tm.net.my
named_attribute: log_client_address=219.92.14.177
named_attribute: log_client_port=2057
named_attribute: log_message_origin=mdh-14-177.tm.net.my[219.92.14.177]
named_attribute: log_helo_name=kkxgkh.com
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=mdh-14-177.tm.net.my
named_attribute: reverse_client_name=mdh-14-177.tm.net.my
named_attribute: client_address=219.92.14.177
named_attribute: client_port=2057
named_attribute: helo_name=kkxgkh.com
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;a1876511@yahoo.com.tw
original_recipient: a1876511@yahoo.com.tw
recipient: a1876511@yahoo.com.tw
named_attribute: dsn_orig_rcpt=rfc822;wendy_shao1972@yahoo.com.tw
original_recipient: wendy_shao1972@yahoo.com.tw
recipient: wendy_shao1972@yahoo.com.tw
named_attribute: dsn_orig_rcpt=rfc822;walklulu@yahoo.com.tw
original_recipient: walklulu@yahoo.com.tw
recipient: walklulu@yahoo.com.tw
named_attribute: dsn_orig_rcpt=rfc822;bj36473647@yahoo.com.tw
original_recipient: bj36473647@yahoo.com.tw
recipient: bj36473647@yahoo.com.tw
named_attribute: dsn_orig_rcpt=rfc822;win1@ms16.hinet.net
original_recipient: win1@ms16.hinet.net
recipient: win1@ms16.hinet.net
named_attribute: dsn_orig_rcpt=rfc822;topever@ms27.hinet.net
original_recipient: topever@ms27.hinet.net
recipient: topever@ms27.hinet.net
named_attribute: dsn_orig_rcpt=rfc822;nage0405@yahoo.com.tw
original_recipient: nage0405@yahoo.com.tw
recipient: nage0405@yahoo.com.tw
named_attribute: dsn_orig_rcpt=rfc822;chiahua_li@yahoo.com.tw
original_recipient: chiahua_li@yahoo.com.tw
recipient: chiahua_li@yahoo.com.tw
named_attribute: dsn_orig_rcpt=rfc822;twopeichen@yahoo.com.tw
original_recipient: twopeichen@yahoo.com.tw
recipient: twopeichen@yahoo.com.tw

the header make me surprised. named_attribute: sasl_username=demo <--------- is it that the user for sending spam remotely ?

Is yes, however I went over all the virtual servers to see whether there is a user named demo, result is none. And I read the /etc/passwd and no such a user id named demo too.

Thu, 04/11/2013 - 08:07
adrianmak

I did another small test to see whether those spam message is orignated from a web script or send remotely.

I turn off incoming smtp port on the firewall and start postfix. Monitoring the /var/log/maillog for a certain period of time.............

After a few hours of monitoring the maillog, incoming smtp port being ported, there is no abnormal mail log appeared. As a conclusion, all spam mails are sending from outside and being some smtp policy restriction, those emails cannot be delivered from my server and queued

Now the problem is why is the demo (a login account ?) could pass the sasl authentication ?

I search thru file /var/log/audit/audit.log and could not find demo was logged in

Thu, 04/11/2013 - 15:05
andreychek

Howdy,

You may want to take a look in /var/log/maillog... seeing "sasl_authenticated" suggests that a user used an SMTP authentication method (typically port 465 or 587) to login as that user.

And any user who authenticates via that method would show up in /var/log/maillog.

If you haven't already, you may want to change the password for that user though.

-Eric

Topic locked