Loading ...
Sorry, an error occurred while loading the content.

RE: Postfix trying to use invalid IP address...

Expand Messages
  • Dov Oxenberg
    Hi Brian, Thanks for the reply.Below are the contents of my mail as you requested: ## Postfix master process configuration file. For details on the format# of
    Message 1 of 20 , May 30, 2008
    • 0 Attachment

      Hi Brian,
      Thanks for the reply.
      Below are the contents of my mail as you requested:
      #
      # Postfix master process configuration file.  For details on the format
      # of the file, see the master(5) manual page (command: "man 5 master").
      #
      # ==========================================================================
      # service type  private unpriv  chroot  wakeup  maxproc command + args
      #               (yes)   (yes)   (yes)   (never) (100)
      # ==========================================================================
      smtp      inet  n       -       -       -       -       smtpd
      #submission inet n       -       -       -       -       smtpd
      #  -o smtpd_enforce_tls=yes
      #  -o smtpd_sasl_auth_enable=yes
      #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      #smtps     inet  n       -       -       -       -       smtpd
      #  -o smtpd_tls_wrappermode=yes
      #  -o smtpd_sasl_auth_enable=yes
      #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      #628      inet  n       -       -       -       -       qmqpd
      pickup    fifo  n       -       -       60      1       pickup
      cleanup   unix  n       -       -       -       0       cleanup
      qmgr      fifo  n       -       n       300     1       qmgr
      #qmgr     fifo  n       -       -       300     1       oqmgr
      tlsmgr    unix  -       -       -       1000?   1       tlsmgr
      rewrite   unix  -       -       -       -       -       trivial-rewrite
      bounce    unix  -       -       -       -       0       bounce
      defer     unix  -       -       -       -       0       bounce
      trace     unix  -       -       -       -       0       bounce
      verify    unix  -       -       -       -       1       verify
      flush     unix  n       -       -       1000?   0       flush
      proxymap  unix  -       -       n       -       -       proxymap
      smtp      unix  -       -       -       -       -       smtp
      # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
      relay     unix  -       -       -       -       -       smtp
       -o fallback_relay=
      #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
      showq     unix  n       -       -       -       -       showq
      error     unix  -       -       -       -       -       error
      discard   unix  -       -       -       -       -       discard
      local     unix  -       n       n       -       -       local
      virtual   unix  -       n       n       -       -       virtual
      lmtp      unix  -       -       -       -       -       lmtp
      anvil     unix  -       -       -       -       1       anvil
      scache   unix - - - - 1 scache
      #
      # ====================================================================
      # Interfaces to non-Postfix software. Be sure to examine the manual
      # pages of the non-Postfix software to find out what options it wants.
      #
      # Many of the following services use the Postfix pipe(8) delivery
      # agent.  See the pipe(8) man page for information about ${recipient}
      # and other message envelope options.
      # ====================================================================
      #
      # maildrop. See the Postfix MAILDROP_README file for details.
      # Also specify in main.cf: maildrop_destination_recipient_limit=1
      #
      maildrop  unix  -       n       n       -       -       pipe
        flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
      #
      # See the Postfix UUCP_README file for configuration details.
      #
      uucp      unix  -       n       n       -       -       pipe
        flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
      #
      # Other external delivery methods.
      #
      ifmail    unix  -       n       n       -       -       pipe
        flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
      bsmtp     unix  -       n       n       -       -       pipe
        flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
      scalemail-backend unix - n n - 2 pipe
        flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
      mailman   unix  -       n       n       -       -       pipe
        flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
        ${nexthop} ${user}

      Cheers,
      Dov




      > Do you have this overridden in master.cf?
      > Please post master.cf or use postfinger (see
      > http://www.postfix.org/DEBUG_README#mail).
      >
      > Brian

    • Bill Cole
      ... That s got to raise alarm bells. Breaking on first setup or breaking after a change is not so strange, but breaking randomly isn t something that software
      Message 2 of 20 , May 30, 2008
      • 0 Attachment
        At 10:12 AM -0400 5/30/08, Dov Oxenberg wrote:
        >Hi,
        >Two days ago my Posftfix broke for no apparent reason.

        That's got to raise alarm bells. Breaking on first setup or breaking
        after a change is not so strange, but breaking randomly isn't
        something that software can easily do.

        Try to nail down when the problem started and get forensic with your
        system. Figure out what changed right before Postfix broke.


        >It looks as though Postfix is failing to start because it is trying
        >to use an IP address (I have no idea where Postfix is getting this
        >IP address) which is not valid for my system.
        >Here is a snippet from my mail log:
        ><snip>
        >May 29 03:03:48 bocacentral postfix/master[22144]: warning:
        >/usr/lib/postfix/smtpd: bad command startup -- throttling
        >May 29 03:03:51 bocacentral postfix[28179]: fatal: parameter
        >inet_interfaces: no local interface found for 69.50.160.213
        >May 29 03:04:22 bocacentral postfix[3657]: fatal: parameter
        >inet_interfaces: no local interface found for 69.50.160.213
        >May 29 03:26:27 bocacentral postfix[32672]: fatal: parameter
        >inet_interfaces: no local interface found for 69.50.160.213
        >May 29 03:31:01 bocacentral postfix[6140]: fatal: parameter
        >inet_interfaces: no local interface found for 69.50.160.213
        ></snip>

        That IP address is extremely suspicious. I would not be surprised if
        you were to discover that your system has been compromised and
        someone has been ineptly trying to take it over for spamming purposes.

        [big snip]

        >Please let me know if there is anything further I can provide so
        >that someone may help me fix this problem.


        The active lines in master.cf might help, but I think you should also
        start looking for what happened ahead of the break and what's been
        happening since. This is Not Normal.


        --
        Bill Cole
        bill@...
      • Dov Oxenberg
        Hello Viktor, Thank you for your reply. The only thing in my /etc/resolv.conf is nameserver 209.51.143.76 I don t quite understand the rest of your response
        Message 3 of 20 , May 30, 2008
        • 0 Attachment

          Hello Viktor,
          Thank you for your reply.
          The only thing in my /etc/resolv.conf is "nameserver 209.51.143.76"
          I don't quite understand the rest of your response however.
          If you are suggesting the syntax of the value for inet_interfaces is invalid or incorrect, what or how should it be, considering the data I have provided so far?
          Thanks!
          Dov





          > Date: Fri, 30 May 2008 10:25:08 -0400
          > From: Victor.Duchovni@...
          > To: postfix-users@...
          > Subject: Re: Postfix trying to use invalid IP address...
          >
          > On Fri, May 30, 2008 at 10:12:53AM -0400, Dov Oxenberg wrote:
          >
          > > inet_interfaces = ALL
          >
          > I don't see any documentation that suggests this syntax is correct.
          > You are using the hostname "ALL.example.com" where example.com is
          > some domain from /etc/resolv.conf that happens to have an "ALL"
          > host or wildcard "A" record (a bad idea, avoid DNS servers that
          > do that).
          >
          > --
          > Viktor.

        • Bill Cole
          ... http://www.postfix.org/postconf.5.html#inet_interfaces seems to suggest it if all is case-insensitive. -- Bill Cole bill@scconsult.com
          Message 4 of 20 , May 30, 2008
          • 0 Attachment
            At 10:25 AM -0400 5/30/08, Victor Duchovni wrote:
            >On Fri, May 30, 2008 at 10:12:53AM -0400, Dov Oxenberg wrote:
            >
            >> inet_interfaces = ALL
            >
            >I don't see any documentation that suggests this syntax is correct.

            http://www.postfix.org/postconf.5.html#inet_interfaces seems to
            suggest it if "all" is case-insensitive.





            --
            Bill Cole
            bill@...
          • Wietse Venema
            ... inet_interfaces=ALL is not valid main.cf input. Wietse
            Message 5 of 20 , May 30, 2008
            • 0 Attachment
              Dov Oxenberg:
              > Hello Viktor,
              > Thank you for your reply.
              > The only thing in my /etc/resolv.conf is "nameserver 209.51.143.76"
              > I don't quite understand the rest of your response however.
              > If you are suggesting the syntax of the value for inet_interfaces is invalid or incorrect, what or how should it be, considering the data I have provided so far?
              > Thanks!

              inet_interfaces=ALL

              is not valid main.cf input.

              Wietse
            • Dov Oxenberg
              Oh, and I forgot to mention, this does not explain to me why the system was working just fine for more than three months and now, all of a sudden I develop
              Message 6 of 20 , May 30, 2008
              • 0 Attachment
                Oh, and I forgot to mention, this does not explain to me why the system was working just fine for more than three months and now, all of a sudden I develop this problem.
                Thanks,
                Dov






                > Date: Fri, 30 May 2008 10:25:08 -0400
                > From: Victor.Duchovni@...
                > To: postfix-users@...
                > Subject: Re: Postfix trying to use invalid IP address...
                >
                > On Fri, May 30, 2008 at 10:12:53AM -0400, Dov Oxenberg wrote:
                >
                > > inet_interfaces = ALL
                >
                > I don't see any documentation that suggests this syntax is correct.
                > You are using the hostname "ALL.example.com" where example.com is
                > some domain from /etc/resolv.conf that happens to have an "ALL"
                > host or wildcard "A" record (a bad idea, avoid DNS servers that
                > do that).
                >
                > --
                > Viktor.
                >
                > Disclaimer: off-list followups get on-list replies or get ignored.
                > Please do not ignore the "Reply-To" header.
                >
                > To unsubscribe from the postfix-users list, visit
                > http://www.postfix.org/lists.html or click the link below:
                > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
                >
                > If my response solves your problem, the best way to thank me is to not
                > send an "it worked, thanks" follow-up. If you must respond, please put
                > "It worked, thanks" in the "Subject" so I can delete these quickly.

              • Dov Oxenberg
                Hi Bill, I think you are right on the money as I suspected the same thing. In looking through my log files, there was a connection from the Sony Network in
                Message 7 of 20 , May 30, 2008
                • 0 Attachment
                  Hi Bill,
                  I think you are right on the money as I suspected the same thing.
                  In looking through my log files, there was a connection from the Sony Network in Taiwan and then 90 minutes later my Postfix no longer works.
                  Here is the relevant excerpt from my mail log:
                  <snip>
                  May 25 08:12:23 bocacentral postfix/smtpd[1919]: connect from unknown[219.84.219.155]
                  May 25 08:12:23 bocacentral postfix/smtpd[1919]: lost connection after CONNECT from unknown[219.84.219.155]
                  May 25 08:12:23 bocacentral postfix/smtpd[1919]: disconnect from unknown[219.84.219.155]
                  May 25 08:15:43 bocacentral postfix/anvil[1958]: statistics: max connection rate 1/60s for (smtp:219.84.219.155) at May 25 08:12:23
                  May 25 08:15:43 bocacentral postfix/anvil[1958]: statistics: max connection count 1 for (smtp:219.84.219.155) at May 25 08:12:23
                  May 25 08:15:43 bocacentral postfix/anvil[1958]: statistics: max cache size 1 at May 25 08:12:23
                  May 25 09:30:08 bocacentral postfix/smtpd[23892]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:30:09 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 23892 exit status 1
                  May 25 09:30:09 bocacentral postfix/master[22144]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                  May 25 09:31:09 bocacentral postfix/smtpd[24402]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:31:10 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 24402 exit status 1
                  May 25 09:31:10 bocacentral postfix/master[22144]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                  May 25 09:32:10 bocacentral postfix/smtpd[24482]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:32:11 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 24482 exit status 1
                  May 25 09:32:11 bocacentral postfix/master[22144]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                  May 25 09:33:11 bocacentral postfix/smtpd[24570]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:33:12 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 24570 exit status 1
                  May 25 09:33:12 bocacentral postfix/master[22144]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                  May 25 09:34:12 bocacentral postfix/smtpd[25670]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:34:13 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 25670 exit status 1
                  May 25 09:34:13 bocacentral postfix/master[22144]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                  May 25 09:35:13 bocacentral postfix/smtpd[26201]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:35:14 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 26201 exit status 1
                  May 25 09:35:14 bocacentral postfix/master[22144]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                  May 25 09:36:14 bocacentral postfix/smtpd[26349]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:36:15 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 26349 exit status 1
                  May 25 09:36:15 bocacentral postfix/master[22144]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                  May 25 09:37:15 bocacentral postfix/smtpd[26508]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:37:16 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 26508 exit status 1
                  May 25 09:37:16 bocacentral postfix/master[22144]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                  May 25 09:38:16 bocacentral postfix/smtpd[26574]: fatal: parameter inet_interfaces: no local interface found for 69.50.160.213
                  May 25 09:38:17 bocacentral postfix/master[22144]: warning: process /usr/lib/postfix/smtpd pid 26574 exit status 1
                  </snip>
                   
                  Any ideas???
                  Thanks Bill






                  > Date: Fri, 30 May 2008 10:41:33 -0400
                  > To: postfix-users@...
                  > From: postfixlists-070913@...
                  > Subject: Re: Postfix trying to use invalid IP address...
                  >
                  > At 10:12 AM -0400 5/30/08, Dov Oxenberg wrote:
                  > >Hi,
                  > >Two days ago my Posftfix broke for no apparent reason.
                  >
                  > That's got to raise alarm bells. Breaking on first setup or breaking
                  > after a change is not so strange, but breaking randomly isn't
                  > something that software can easily do.
                  >
                  > Try to nail down when the problem started and get forensic with your
                  > system. Figure out what changed right before Postfix broke.
                  >
                  >
                  > >It looks as though Postfix is failing to start because it is trying
                  > >to use an IP address (I have no idea where Postfix is getting this
                  > >IP address) which is not valid for my system.
                  > >Here is a snippet from my mail log:
                  > ><snip>
                  > >May 29 03:03:48 bocacentral postfix/master[22144]: warning:
                  > >/usr/lib/postfix/smtpd: bad command startup -- throttling
                  > >May 29 03:03:51 bocacentral postfix[28179]: fatal: parameter
                  > >inet_interfaces: no local interface found for 69.50.160.213
                  > >May 29 03:04:22 bocacentral postfix[3657]: fatal: parameter
                  > >inet_interfaces: no local interface found for 69.50.160.213
                  > >May 29 03:26:27 bocacentral postfix[32672]: fatal: parameter
                  > >inet_interfaces: no local interface found for 69.50.160.213
                  > >May 29 03:31:01 bocacentral postfix[6140]: fatal: parameter
                  > >inet_interfaces: no local interface found for 69.50.160.213
                  > ></snip>
                  >
                  > That IP address is extremely suspicious. I would not be surprised if
                  > you were to discover that your system has been compromised and
                  > someone has been ineptly trying to take it over for spamming purposes.
                  >
                  > [big snip]
                  >
                  > >Please let me know if there is anything further I can provide so
                  > >that someone may help me fix this problem.
                  >
                  >
                  > The active lines in master.cf might help, but I think you should also
                  > start looking for what happened ahead of the break and what's been
                  > happening since. This is Not Normal.
                  >
                  >
                  > --
                  > Bill Cole
                  > bill@...
                  >

                • Victor Duchovni
                  ... Occam s razor. First eliminate the simple explanations. What does the hostname ALL resolve to on your system? host ALL or getent hosts ALL or telnet ALL
                  Message 8 of 20 , May 30, 2008
                  • 0 Attachment
                    On Fri, May 30, 2008 at 11:02:37AM -0400, Dov Oxenberg wrote:

                    > I think you are right on the money as I suspected the same thing.

                    Occam's razor. First eliminate the simple explanations. What does
                    the hostname "ALL" resolve to on your system?

                    host ALL
                    or
                    getent hosts ALL
                    or
                    telnet ALL 25
                    ... note the IP telnet is trying to connect to ...

                    > In looking through my log files, there was a connection from the Sony Network in Taiwan and then 90 minutes later my Postfix no longer works.

                    Spammers connect from all over the world all the time, it is way too early
                    to call this a breakin.

                    --
                    Viktor.

                    Disclaimer: off-list followups get on-list replies or get ignored.
                    Please do not ignore the "Reply-To" header.

                    To unsubscribe from the postfix-users list, visit
                    http://www.postfix.org/lists.html or click the link below:
                    <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                    If my response solves your problem, the best way to thank me is to not
                    send an "it worked, thanks" follow-up. If you must respond, please put
                    "It worked, thanks" in the "Subject" so I can delete these quickly.
                  • Dov Oxenberg
                    Hi Viktor, Well, I seem to have resolved the issue by replacing the value of parameter inet_interfaces = ALL with inet_interfaces = all Apparently it was
                    Message 9 of 20 , May 30, 2008
                    • 0 Attachment
                      Hi Viktor,
                      Well, I seem to have resolved the issue by replacing the value of parameter "inet_interfaces = ALL" with "inet_interfaces = all"
                      Apparently it was indeed an issue of case sensitivity, but I still don't understand why it happened all of a sudden.  As I mentioned previously the VPS has been running fine for about three months with the values I originally posted.
                      In any event, thanks everyone for your help, I sincerely appreciate it.
                      Dov






                      > Date: Fri, 30 May 2008 11:29:14 -0400
                      > From: Victor.Duchovni@...
                      > To: postfix-users@...
                      > Subject: Re: Postfix trying to use invalid IP address...
                      >
                      > On Fri, May 30, 2008 at 11:02:37AM -0400, Dov Oxenberg wrote:
                      >
                      > > I think you are right on the money as I suspected the same thing.
                      >
                      > Occam's razor. First eliminate the simple explanations. What does
                      > the hostname "ALL" resolve to on your system?
                      >
                      > host ALL
                      > or
                      > getent hosts ALL
                      > or
                      > telnet ALL 25
                      > ... note the IP telnet is trying to connect to ...
                      >
                      > > In looking through my log files, there was a connection from the Sony Network in Taiwan and then 90 minutes later my Postfix no longer works.
                      >
                      > Spammers connect from all over the world all the time, it is way too early
                      > to call this a breakin.
                      >
                      > --
                      > Viktor.
                      >
                      > Disclaimer: off-list followups get on-list replies or get ignored.
                      > Please do not ignore the "Reply-To" header.
                      >
                      > To unsubscribe from the postfix-users list, visit
                      > http://www.postfix.org/lists.html or click the link below:
                      > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
                      >
                      > If my response solves your problem, the best way to thank me is to not
                      > send an "it worked, thanks" follow-up. If you must respond, please put
                      > "It worked, thanks" in the "Subject" so I can delete these quickly.

                    • Victor Duchovni
                      ... Because your DNS servers are returning a different result when you resolve ALL . Do try host name lookup experiments I suggested. Did you happen to change
                      Message 10 of 20 , May 30, 2008
                      • 0 Attachment
                        On Fri, May 30, 2008 at 11:36:03AM -0400, Dov Oxenberg wrote:

                        > Hi Viktor,
                        > Well, I seem to have resolved the issue by replacing the value of parameter "inet_interfaces = ALL" with "inet_interfaces = all"
                        > Apparently it was indeed an issue of case sensitivity, but I still don't understand why it happened all of a sudden. As I mentioned previously the VPS has been running fine for about three months with the values I originally posted.
                        > In any event, thanks everyone for your help, I sincerely appreciate it.

                        Because your DNS servers are returning a different result when you resolve
                        "ALL". Do try host name lookup experiments I suggested. Did you happen
                        to change anything in main.cf around the time you started having problems.

                        --
                        Viktor.

                        Disclaimer: off-list followups get on-list replies or get ignored.
                        Please do not ignore the "Reply-To" header.

                        To unsubscribe from the postfix-users list, visit
                        http://www.postfix.org/lists.html or click the link below:
                        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                        If my response solves your problem, the best way to thank me is to not
                        send an "it worked, thanks" follow-up. If you must respond, please put
                        "It worked, thanks" in the "Subject" so I can delete these quickly.
                      • Dov Oxenberg
                        Hi Viktor, host ALL returns ALL.com A 69.50.160.213 getent hosts ALL returns 69.50.160.213 ALL.com When I try telnet ALL 25 I receive trying
                        Message 11 of 20 , May 30, 2008
                        • 0 Attachment
                          Hi Viktor,
                          host ALL returns "ALL.com A 69.50.160.213"
                          getent hosts ALL returns "69.50.160.213 ALL.com"
                          When I try "telnet ALL 25" I receive "trying 69.50.160.213" and "Unable to connect to remote host:  Connection refused"  What a surprise.
                          I have not changed a thing on the VPS since I got Mailman running in mid to late February.
                          At the moment I am inclined to agree with Bill Cole's suggestion that my system was compromised but due to my lack of experience in Linux am unclear as to what steps I can take (beyond inspecting my mail log files) to determine exactly the cause of the problem, or what I can do to prevent this from happening again in the future.
                          Thanks again for your time and effort!
                          Dov






                          > Date: Fri, 30 May 2008 11:53:28 -0400
                          > From: Victor.Duchovni@...
                          > To: boxenberg@...
                          > CC: postfix-users@...
                          > Subject: Re: Postfix trying to use invalid IP address...
                          >
                          > On Fri, May 30, 2008 at 11:36:03AM -0400, Dov Oxenberg wrote:
                          >
                          > > Hi Viktor,
                          > > Well, I seem to have resolved the issue by replacing the value of parameter "inet_interfaces = ALL" with "inet_interfaces = all"
                          > > Apparently it was indeed an issue of case sensitivity, but I still don't understand why it happened all of a sudden. As I mentioned previously the VPS has been running fine for about three months with the values I originally posted.
                          > > In any event, thanks everyone for your help, I sincerely appreciate it.
                          >
                          > Because your DNS servers are returning a different result when you resolve
                          > "ALL". Do try host name lookup experiments I suggested. Did you happen
                          > to change anything in main.cf around the time you started having problems.
                          >
                          > --
                          > Viktor.
                          >
                          > Disclaimer: off-list followups get on-list replies or get ignored.
                          > Please do not ignore the "Reply-To" header.
                          >
                          > To unsubscribe from the postfix-users list, visit
                          > http://www.postfix.org/lists.html or click the link below:
                          > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
                          >
                          > If my response solves your problem, the best way to thank me is to not
                          > send an "it worked, thanks" follow-up. If you must respond, please put
                          > "It worked, thanks" in the "Subject" so I can delete these quickly.

                        • Victor Duchovni
                          ... Well, this is not entirely surprising. The domain all.com got an IP address on 25-May 2008 some time after 07:39:57 GMT. all.com. 86400 IN
                          Message 12 of 20 , May 30, 2008
                          • 0 Attachment
                            On Fri, May 30, 2008 at 12:31:02PM -0400, Dov Oxenberg wrote:

                            > host ALL returns "ALL.com A 69.50.160.213"

                            Well, this is not entirely surprising. The domain all.com got an IP
                            address on 25-May 2008 some time after 07:39:57 GMT.

                            all.com. 86400 IN A 69.50.160.213
                            all.com. 172800 IN NS ns2.tdxwjm-edu.org.
                            all.com. 172800 IN NS ns.tdxwjm-edu.org.
                            ns.tdxwjm-edu.org. 86400 IN A 69.50.160.211
                            ns2.tdxwjm-edu.org. 86400 IN A 69.50.160.211

                            Registrant Contact:
                            ALL LTD
                            Selena Kovalski selenaotorvan@...
                            +4402070715741 fax: +4402070715741
                            306 Victoria House
                            Mahe Victoria 10000
                            sc

                            DNS:
                            ns.tdxwjm-edu.org
                            ns2.tdxwjm-edu.org

                            Created: 2008-01-21
                            Expires: 2014-12-28

                            ---

                            Domain ID:D146854267-LROR
                            Domain Name:TDXWJM-EDU.ORG
                            Created On:24-May-2007 06:06:15 UTC
                            Last Updated On:25-May-2008 07:39:57 UTC
                            Expiration Date:24-May-2009 06:06:15 UTC
                            Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
                            Status:OK
                            Status:AUTORENEWPERIOD
                            Registrant ID:DI_6546896
                            Registrant Name:Doctor Papper
                            Registrant Organization:Virtual Dob Aven SRL
                            Registrant Street1:Mlsw 19, 1p
                            Registrant Street2:
                            Registrant Street3:
                            Registrant City:Miraje
                            Registrant State/Province:Adrar
                            Registrant Postal Code:213998
                            Registrant Country:DZ
                            Registrant Phone:+003.82293849
                            Registrant Phone Ext.:
                            Registrant FAX:
                            Registrant FAX Ext.:
                            Registrant Email:xs3@...
                            Admin ID:DI_6546896
                            Admin Name:Doctor Papper
                            Admin Organization:Virtual Dob Aven SRL
                            Admin Street1:Mlsw 19, 1p
                            Admin Street2:
                            Admin Street3:
                            Admin City:Miraje
                            Admin State/Province:Adrar
                            Admin Postal Code:213998
                            Admin Country:DZ
                            Admin Phone:+003.82293849
                            Admin Phone Ext.:
                            Admin FAX:
                            Admin FAX Ext.:
                            Admin Email:xs3@...


                            > At the moment I am inclined to agree with Bill Cole's suggestion that
                            > my system was compromised but due to my lack of experience in Linux
                            > am unclear as to what steps I can take (beyond inspecting my mail log
                            > files) to determine exactly the cause of the problem, or what I can do
                            > to prevent this from happening again in the future.

                            There is no reason to think so.

                            --
                            Viktor.

                            Disclaimer: off-list followups get on-list replies or get ignored.
                            Please do not ignore the "Reply-To" header.

                            To unsubscribe from the postfix-users list, visit
                            http://www.postfix.org/lists.html or click the link below:
                            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                            If my response solves your problem, the best way to thank me is to not
                            send an "it worked, thanks" follow-up. If you must respond, please put
                            "It worked, thanks" in the "Subject" so I can delete these quickly.
                          • Wietse Venema
                            ... .. ... It is possible that he had inet_interfaces = ALL in main.cf. When I adopted the third-party IPv6 patch, I noticed that it would silently ignore
                            Message 13 of 20 , May 30, 2008
                            • 0 Attachment
                              Victor Duchovni:
                              > On Fri, May 30, 2008 at 12:31:02PM -0400, Dov Oxenberg wrote:
                              >
                              > > host ALL returns "ALL.com A 69.50.160.213"
                              >
                              > Well, this is not entirely surprising. The domain all.com got an IP
                              > address on 25-May 2008 some time after 07:39:57 GMT.
                              ..
                              > Registrant Contact:
                              > ALL LTD
                              > Selena Kovalski selenaotorvan@...
                              > +4402070715741 fax: +4402070715741
                              > 306 Victoria House
                              > Mahe Victoria 10000
                              > sc

                              It is possible that he had "inet_interfaces = ALL" in main.cf.

                              When I adopted the third-party IPv6 patch, I noticed that it would
                              silently ignore inet_interfaces settings that did not resolve. Such
                              code would silently treat "inet_interfaces = ALL" as a null address
                              list. I did not like this and fixed the code.

                              The third-party IPv6 patch was bundled with Postfix 2.1 and may
                              still be running on some boxes.

                              If this was the problem, then he was having a time bomb in main.cf
                              that was waiting to go off when "ALL" became a valid domain name.

                              Wietse
                            • Randy Ramsdell
                              ... If your system was compromised, why would they change all to ALL? I wouldn t be to convinced this is the case. To test simply transfer know these known
                              Message 14 of 20 , May 30, 2008
                              • 0 Attachment
                                Dov Oxenberg wrote:
                                > Hi Viktor,
                                > host ALL returns "ALL.com A 69.50.160.213"
                                > getent hosts ALL returns "69.50.160.213 ALL.com"
                                > When I try "telnet ALL 25" I receive "trying 69.50.160.213" and
                                > "Unable to connect to remote host: Connection refused" What a surprise.
                                > I have not changed a thing on the VPS since I got Mailman running in
                                > mid to late February.
                                > At the moment I am inclined to agree with Bill Cole's suggestion that
                                > my system was compromised but due to my lack of experience in Linux am
                                > unclear as to what steps I can take (beyond inspecting my mail log
                                > files) to determine exactly the cause of the problem, or what I can do
                                > to prevent this from happening again in the future.
                                > Thanks again for your time and effort!
                                > Dov
                                >
                                >

                                If your system was compromised, why would they change all to ALL? I
                                wouldn't be to convinced this is the case. To test simply transfer know
                                these known good apps to the mailserver. {ps, tcpdump,netstat, lsof} Run
                                these to see if they match the current ones installed. If you use an rpm
                                based systems run "rpm -Vva" and pay attention to known trojaned
                                binaries such as the ones from the list. This will help you determine if
                                you have a root kit installed. Also run nmap on this system and look for
                                open port that do not make sense.
                                Make sure to use the -p1-65000 switch to scan all ports.
                                >
                                >
                                > ------------------------------------------------------------------------
                                >
                                > > Date: Fri, 30 May 2008 11:53:28 -0400
                                > > From: Victor.Duchovni@...
                                > > To: boxenberg@...
                                > > CC: postfix-users@...
                                > > Subject: Re: Postfix trying to use invalid IP address...
                                > >
                                > > On Fri, May 30, 2008 at 11:36:03AM -0400, Dov Oxenberg wrote:
                                > >
                                > > > Hi Viktor,
                                > > > Well, I seem to have resolved the issue by replacing the value of
                                > parameter "inet_interfaces = ALL" with "inet_interfaces = all"
                                > > > Apparently it was indeed an issue of case sensitivity, but I still
                                > don't understand why it happened all of a sudden. As I mentioned
                                > previously the VPS has been running fine for about three months with
                                > the values I originally posted.
                                > > > In any event, thanks everyone for your help, I sincerely
                                > appreciate it.
                                > >
                                > > Because your DNS servers are returning a different result when you
                                > resolve
                                > > "ALL". Do try host name lookup experiments I suggested. Did you happen
                                > > to change anything in main.cf around the time you started having
                                > problems.
                                > >
                                > > --
                                > > Viktor.
                                > >
                                > > Disclaimer: off-list followups get on-list replies or get ignored.
                                > > Please do not ignore the "Reply-To" header.
                                > >
                                > > To unsubscribe from the postfix-users list, visit
                                > > http://www.postfix.org/lists.html or click the link below:
                                > > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
                                > >
                                > > If my response solves your problem, the best way to thank me is to not
                                > > send an "it worked, thanks" follow-up. If you must respond, please put
                                > > "It worked, thanks" in the "Subject" so I can delete these quickly.
                                >
                              • /dev/rob0
                                ... No search line. Thus it seems that: 1. either the Debian (? referring to the original post) C libraries are appending .com to unqualified names (can
                                Message 15 of 20 , May 30, 2008
                                • 0 Attachment
                                  On Fri May 30 2008 11:31:02 Dov Oxenberg wrote:
                                  > host ALL returns "ALL.com A 69.50.160.213"
                                  > getent hosts ALL returns "69.50.160.213 ALL.com"

                                  Interesting. Previously this poster had said:

                                  > The only thing in my /etc/resolv.conf is "nameserver 209.51.143.76"

                                  No "search" line. Thus it seems that: 1. either the Debian (? referring
                                  to the original post) C libraries are appending ".com" to unqualified
                                  names (can Debian people test this, please?), or 2. the nameserver at
                                  209.51.143.76 is doing it.

                                  209.51.143.76 is NOT doing that for me. I get NXDOMAIN for "all." Do we
                                  have yet another ill-considered Debian patch in play?


                                  Some notes to the OP:
                                  1. It worked fine until "all.com." (DNS RR names are case-
                                  insensitive) started to resolve to an IP address.
                                  2. REMOVE inet_interfaces, since you want the default setting.
                                  3. There is nothing in this thread to suggest any compromise or
                                  intrusion. Stop being so alarmist, you will drive yourself mad.
                                  *Do* however keep up with your distributor's security patches!
                                  You're using the "snakeoil[1]" SSL certificate which:
                                  A. Was generated with a known-insecure openssl library
                                  B. Is not appropriate for use in the real world.
                                  4. Your Hotmail Webmail client is horribly mangling the mail we see
                                  on the list. Try setting it to send plain-text mail only. Also
                                  consider using a more responsible mail provider.

                                  [1] The name "snakeoil" refers to PRZ's famous PGP readme, and means
                                  that you are not gaining any security from the misuse of encryption
                                  technology.
                                  --
                                  Offlist mail to this address is discarded unless
                                  "/dev/rob0" or "not-spam" is in Subject: header
                                • Bill Cole
                                  ... As Victor noted, spammers from all over the place connect to anything with a port 25 listener, and it is mostly harmless. When you suspect (but are not
                                  Message 16 of 20 , May 30, 2008
                                  • 0 Attachment
                                    At 11:02 AM -0400 5/30/08, Dov Oxenberg wrote:
                                    >Hi Bill,
                                    >I think you are right on the money as I suspected the same thing.
                                    >In looking through my log files, there was a connection from the
                                    >Sony Network in Taiwan and then 90 minutes later my Postfix no
                                    >longer works.

                                    As Victor noted, spammers from all over the place connect to anything
                                    with a port 25 listener, and it is mostly harmless.

                                    When you suspect (but are not certain of) a system compromise, you
                                    have to cast a wider net than looking at connections to Postfix, but
                                    probably a narrower timeframe. You'd particularly want to know about
                                    logins, other processes logging oddities, files changing that should
                                    be static, etc.

                                    However, it seems like Victor identified the proximal cause of the
                                    problem, although you are still left with the oddity of why something
                                    on your system is taking a DNS query for 'all' and turning it into a
                                    query for 'all.com' instead. The only reason I immediately suggested
                                    the possibility of a compromise was the IP address 69.50.160.213.
                                    That address is in a block that has a rather poor reputation, with
                                    the whole /19 network currently being listed on the SBL and
                                    generating this: http://isc.sans.org/diary.html?storyid=997

                                    I agree with Victor that given everything you've found, this *does
                                    not* look like an attack. The nature of the problem with Postfix is
                                    quite clear now without postulating an attack.

                                    --
                                    Bill Cole
                                    bill@...
                                  • Victor Duchovni
                                    ... Without an explicit search line, there may an implicit search list based on the FQDN of the machine or other system configuration files. ... Nothing too
                                    Message 17 of 20 , May 30, 2008
                                    • 0 Attachment
                                      On Fri, May 30, 2008 at 12:10:29PM -0500, /dev/rob0 wrote:

                                      > > The only thing in my /etc/resolv.conf is "nameserver 209.51.143.76"
                                      >
                                      > No "search" line. Thus it seems that: 1. either the Debian (? referring
                                      > to the original post) C libraries are appending ".com" to unqualified
                                      > names (can Debian people test this, please?), or 2. the nameserver at
                                      > 209.51.143.76 is doing it.

                                      Without an explicit "search" line, there may an implicit search list
                                      based on the FQDN of the machine or other system configuration files.

                                      > 209.51.143.76 is NOT doing that for me. I get NXDOMAIN for "all." Do we
                                      > have yet another ill-considered Debian patch in play?

                                      Nothing too dramatic I imagine, just a default search list. If you want
                                      to disable search use:

                                      search .

                                      --
                                      Viktor.

                                      Disclaimer: off-list followups get on-list replies or get ignored.
                                      Please do not ignore the "Reply-To" header.

                                      To unsubscribe from the postfix-users list, visit
                                      http://www.postfix.org/lists.html or click the link below:
                                      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                                      If my response solves your problem, the best way to thank me is to not
                                      send an "it worked, thanks" follow-up. If you must respond, please put
                                      "It worked, thanks" in the "Subject" so I can delete these quickly.
                                    Your message has been successfully submitted and would be delivered to recipients shortly.