Loading ...
Sorry, an error occurred while loading the content.

Re: Suspicious Email Logs...

Expand Messages
  • mouss
    ... I see no relay_recipient_maps. so you re not validating relay recipients. PS. you have mydestinations with an s above.
    Message 1 of 5 , Apr 1, 2006
    • 0 Attachment
      Conall O'Brien wrote:
      > Hello,
      >
      >
      > I've just noticed that my 2 backup MX postfix servers appear to have
      > sent more emails than I expect in a day, especially since my primary MX
      > is running fine.
      >
      >
      > Investigating my mail.logs, has produced some interesting logs which
      > look like:
      >
      > Apr 1 04:33:19 castor postfix/cleanup[21583]: B9CE3775:
      > message-id=<20060401043319.B9CE3775@...>
      > Apr 1 04:33:19 castor postfix/qmgr[21148]: B9CE3775: from=<>,
      > size=52034, nrcpt=1 (queue active)
      > Apr 1 04:33:22 castor postfix/smtp[21586]: B9CE3775:
      > to=<qvqls@...>, relay=mail13.webcontrolcent
      > er.com[216.119.106.129], delay=3, status=sent (250 OK)
      > Apr 1 04:33:22 castor postfix/qmgr[21148]: B9CE3775: removed
      >
      >
      > The complete collection suspicious logs for both servers are available
      > at http://icarus.asclepian.ie/~conall/suspicious.logs
      >
      >
      > I've considered the possibility of scatterback, which is an issue I
      > haven't specifically addressed previously, but grepping mail.log files
      > on my other MX servers for mentioned domain names reveals that in most
      > cases, this isn't scatterback (I did find 1 case). I'm also a little
      > suspicious because the message ID looks a little bit too deterministic
      > for my liking, looking at the least significant digits.
      >
      > Hence I'd like to know if anyone else has seen this before. Any help is
      > appreciated...
      >
      >
      > Both server's are almost identically configured, diffing the output of
      > postconf -n shows only different values for $myhostname ,
      > $smtpd_tls_cert_file and $smtpd_tls_key_file . Hence, below is the
      > postconf -n output for one server.
      >
      >
      > alias_database = hash:/etc/aliases
      > alias_maps = hash:/etc/aliases
      > append_dot_mydomain = no
      > biff = no
      > broken_sasl_auth_clients = yes
      > config_directory = /etc/postfix
      > home_mailbox = Maildir/
      > inet_interfaces = all
      > mailbox_command = procmail -a "$EXTENSION"
      > mailbox_size_limit = 0
      > myhostname = castor.asclepian.ie
      > mynetworks = 127.0.0.0/8
      > myorigin = $myhostname
      > recipient_delimiter = +
      > relay_domains = $mydestinations, $mx_backups

      I see no relay_recipient_maps. so you're not validating relay recipients.

      PS. you have mydestinations with an 's' above.
    • Conall O'Brien
      On Sun, Apr 02, 2006 at 12:55:40AM IST, mouss ... Ack! I ve been maintaining one, and it was configured originally. ... Thanks, I didn t notice that. I still
      Message 2 of 5 , Apr 2, 2006
      • 0 Attachment
        On Sun, Apr 02, 2006 at 12:55:40AM IST, mouss
        <usebsd@...> incoherently babbled:

        > I see no relay_recipient_maps. so you're not validating relay recipients.

        Ack! I've been maintaining one, and it was configured originally.

        > PS. you have mydestinations with an 's' above.

        Thanks, I didn't notice that.


        I still can't explain the anomolies of the queue IDs being quite
        similar...

        --

        Conall O'Brien

        http://www.conall.net

        GPG Key: http://www.conall.net/gpg/

        "Hello, is this the hardware store? Yes, I'm wondering if you sell
        Catapults. No?? Well, I'm looking for something that can deliver a 50
        payload of snow on a small feminine target. Can you suggest something?
        Hello?"

        Bill Watterson - Calvin And Hobbes: The Days Are Just Packed
      Your message has been successfully submitted and would be delivered to recipients shortly.