Re: Suspicious Email Logs...
- On Sat, 1 Apr 2006 19:28:14 +0100
Conall O'Brien wrote:
> relay_domains = $mydestinations, $mx_backups$mydestination.
You have what recipient validation in place?
- Conall O'Brien wrote:
> Hello,I see no relay_recipient_maps. so you're not validating relay recipients.
> I've just noticed that my 2 backup MX postfix servers appear to have
> sent more emails than I expect in a day, especially since my primary MX
> is running fine.
> Investigating my mail.logs, has produced some interesting logs which
> look like:
> Apr 1 04:33:19 castor postfix/cleanup: B9CE3775:
> Apr 1 04:33:19 castor postfix/qmgr: B9CE3775: from=<>,
> size=52034, nrcpt=1 (queue active)
> Apr 1 04:33:22 castor postfix/smtp: B9CE3775:
> to=<qvqls@...>, relay=mail13.webcontrolcent
> er.com[126.96.36.199], delay=3, status=sent (250 OK)
> Apr 1 04:33:22 castor postfix/qmgr: B9CE3775: removed
> The complete collection suspicious logs for both servers are available
> at http://icarus.asclepian.ie/~conall/suspicious.logs
> I've considered the possibility of scatterback, which is an issue I
> haven't specifically addressed previously, but grepping mail.log files
> on my other MX servers for mentioned domain names reveals that in most
> cases, this isn't scatterback (I did find 1 case). I'm also a little
> suspicious because the message ID looks a little bit too deterministic
> for my liking, looking at the least significant digits.
> Hence I'd like to know if anyone else has seen this before. Any help is
> Both server's are almost identically configured, diffing the output of
> postconf -n shows only different values for $myhostname ,
> $smtpd_tls_cert_file and $smtpd_tls_key_file . Hence, below is the
> postconf -n output for one server.
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> home_mailbox = Maildir/
> inet_interfaces = all
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> myhostname = castor.asclepian.ie
> mynetworks = 127.0.0.0/8
> myorigin = $myhostname
> recipient_delimiter = +
> relay_domains = $mydestinations, $mx_backups
PS. you have mydestinations with an 's' above.
- On Sun, Apr 02, 2006 at 12:55:40AM IST, mouss
<usebsd@...> incoherently babbled:
> I see no relay_recipient_maps. so you're not validating relay recipients.Ack! I've been maintaining one, and it was configured originally.
> PS. you have mydestinations with an 's' above.Thanks, I didn't notice that.
I still can't explain the anomolies of the queue IDs being quite
GPG Key: http://www.conall.net/gpg/
"Hello, is this the hardware store? Yes, I'm wondering if you sell
Catapults. No?? Well, I'm looking for something that can deliver a 50
payload of snow on a small feminine target. Can you suggest something?
Bill Watterson - Calvin And Hobbes: The Days Are Just Packed