Goutam Baul wrote: > Dear List, > > I am finding a large numbers of mails in the output of postqueue -p where > neither the sender nor the recipient of the mail is my user. Apparently > these mails are reaching postfix from the loop back address. I am giving the > entries for one such message from the maillog: > > Feb 14 04:08:32 mail postfix/smtpd[18165]: 2F97218A856: > client=localhost[127.0.0.1] > Feb 14 04:08:32 mail postfix/cleanup[18072]: 2F97218A856: > message-id=<[email protected]> > Feb 14 04:08:32 mail postfix/smtp[18164]: 1996118A851: > to=<[email protected]>, relay=localhost[127.0.0.1], delay=0, status=sent > (250 Ok: queued as 2F97218A856) > Feb 14 04:08:32 mail postfix/qmgr[4249]: 2F97218A856: > from=<[email protected]>, size=1203, nrcpt=1 (queue active) > Feb 14 04:08:41 mail postfix/smtp[19212]: 2F97218A856: > to=<[email protected]>, relay=none, delay=9, status=deferred (connect to > f.mx.mail.yahoo.com[68.142.202.247]: server refused to talk to me: 421 4.7.0 > [TS01] Messages from 210.212.1.111 temporarily deferred due to user > complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html ) > Feb 14 04:30:11 mail postfix/qmgr[4249]: 2F97218A856: > from=<[email protected]>, size=1203, nrcpt=1 (queue active) > Feb 14 04:46:06 mail postfix/qmgr[4249]: 2F97218A856: > to=<[email protected]>, relay=none, delay=2254, status=deferred > (delivery temporarily suspended: connect to > f.mx.mail.yahoo.com[68.142.202.247]: server refused to talk to me: 421 4.7.0 > [TS01] Messages from 210.212.1.111 temporarily deferred due to user > complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html ) > Feb 14 05:36:50 mail postfix/qmgr[4249]: 2F97218A856: > from=<[email protected]>, size=1203, nrcpt=1 (queue active) > Feb 14 05:42:07 mail postfix/qmgr[4249]: 2F97218A856: > to=<[email protected]>, relay=none, delay=5615, status=deferred > (delivery temporarily suspended: connect to > d.mx.mail.yahoo.com[66.196.82.7]: server refused to talk to me: 421 4.7.0 > [TS01] Messages from 210.212.1.111 temporarily deferred due to user > complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html ) > Feb 14 07:00:15 mail postfix/qmgr[4249]: 2F97218A856: > from=<[email protected]>, size=1203, nrcpt=1 (queue active) > Feb 14 07:10:43 mail postfix/qmgr[4249]: 2F97218A856: > to=<[email protected]>, relay=none, delay=10931, status=deferred > (delivery temporarily suspended: connect to > e.mx.mail.yahoo.com[216.39.53.1]: server refused to talk to me: 421 4.7.0 > [TS01] Messages from 210.212.1.111 temporarily deferred due to user > complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html ) > Feb 14 08:23:36 mail postfix/qmgr[4249]: 2F97218A856: > from=<[email protected]>, size=1203, nrcpt=1 (queue active) > > The server is also running apache and squirrel mail for providing web access > to the users. The output of postconf -n is as follows: > > alias_database = hash:/etc/postfix/aliases > alias_maps = hash:/etc/postfix/aliases > broken_sasl_auth_clients = yes > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = imss:localhost:10025 > daemon_directory = /usr/libexec/postfix > debug_peer_level = 2 > default_destination_recipient_limit = 200 > default_process_limit = 105 > disable_vrfy_command = yes > fallback_transport = virtual > home_mailbox = Maildir/ > inet_interfaces = all > ipc_timeout = 5000s > local_transport = maildrop > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 25728640 > mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, > rpgnet.com > mydomain = rpg.in > myhostname = mail.rpg.in > mynetworks = 127.0.0.0/8, 10.50.0.0/16 > mynetworks_style = subnet > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > queue_directory = /var/spool/postfix > rbl_reply_maps = hash:/etc/postfix/imss_rbl_reply > relay_recipient_maps = ldap:/etc/postfix/virtual-mailbox.ldap > sample_directory = /etc/postfix > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtpd_client_restrictions = check_sender_access > hash:/etc/postfix/rbl_sender_exception,reject_rbl_client > ASNQWAVAPX7S683TZDZFBFUVXP56QLC.r.mail-abuse.com,reject_rbl_client > ASNQWAVAPX7S683TZDZFBFUVXP56QLC.q.mail-abuse.com > smtpd_helo_required = yes > smtpd_recipient_limit = 250 > smtpd_recipient_restrictions = permit_mynetworks, > permit_auth_destination, permit_sasl_authenticated, reject > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_security_options = noanonymous > smtpd_sender_restrictions = permit_mynetworks, > reject_unknown_sender_domain, permit_sasl_authenticated > smtpd_tls_auth_only = no > soft_bounce = no > transport_maps = hash:/etc/postfix/transport > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = ldap:forward > virtual_gid_maps = ldap:/etc/postfix/virtual-gid.ldap > virtual_mailbox_base = /home/vmail > virtual_mailbox_maps = ldap:/etc/postfix/virtual-mailbox.ldap > virtual_minimum_uid = 5000 > virtual_uid_maps = ldap:/etc/postfix/virtual-uid.ldap > > We are using Trend Micro products for controlling spam and virus. At the > moment I am trying to stop these mails from entering the queue by adding the > sender address in the check_sender_access map. But as because the sender > address is changing frequently it is becoming ineffective. I think somehow I > have configured the server in a wrong way and that is why these mails are > getting access to the system. May I request you to kindly point me to the > right direction? > > With regards, > > Goutam Baul >
The first thing I see is that the email appears to be coming through webmail (squirrelmail). My guess is someone's account was "hacked" and the spammer is using the webmail account to spam other addresses.. find out who's account it is.. change the password or disable it until you can fix the issue. -Matt
