How to prevent emails being sent with fake accounts in domain - email

Short version: What can be done to prevent emails being sent from our SMTP mail server using fake accounts that do not really exist in the domain?
Longer version: We use Plesk to manage our site hosted on a Windows VPS. By enabling SMTP logging on MailEnable, I notice that a lot of emails are being sent with accounts that do not exist in the domain. I reproduce below a small portion of the log. Here stolav-gw4#ourDomain.com, tango#ourDomain.com are accounts that do not exist in our domain. What can be done to prevent such emails from being sent?
Things I have already tried and haven't stopped these:
I already have set the SPF record entry. The entry is: v=spf1 a mx -all
I have changed all the passwords. That hasn't helped.
I have enabled DKIM
I ran the following virus/malware detectors and they found nothing: VirusTotal Website Check, MSERT.exe from Microsoft, MSRT.exe from Microsoft
2021-02-17 06:00:02 212.70.149.71 SMTP-IN - our.ip.address.here 1228 AUTH {blank} 334+UGFzc3dvcmQ6 WIN-DFQOE4PNR36 18 38 stolav-gw4#ourDomain.com
2021-02-17 06:00:03 212.70.149.71 SMTP-IN - 104.128.234.235 1296 RSET RSET 250+Requested+mail+action+okay,+completed WIN-DFQOE4PNR36 43 6 -
2021-02-17 06:00:03 212.70.149.85 SMTP-IN - 104.128.234.235 1448 QUIT QUIT 221+Service+closing+transmission+channel WIN-DFQOE4PNR36 42 6 tango#ourDomain.com
2021-02-17 06:00:04 87.246.7.242 SMTP-IN - our.ip.address.here 1876 EHLO EHLO+User 250-ourDomain.com+[87.246.7.242],+this+server+offers+5+extensions WIN-DFQOE4PNR36 242 11 -
2021-02-17 06:00:04 212.70.149.85 SMTP-IN - our.ip.address.here 1848 AUTH {blank} 334+UGFzc3dvcmQ6 WIN-DFQOE4PNR36 18 34 tango#ourDomain.com
2021-02-17 06:00:04 212.70.149.71 SMTP-IN - our.ip.address.here 1228 AUTH c3RvbGF2LWd3NEAxMjM= 535+Invalid+Username+or+Password WIN-DFQOE4PNR36 34 22 stolav-gw4#ourDomain.com
2021-02-17 06:00:04 212.70.149.71 SMTP-IN - 104.128.234.235 1296 AUTH AUTH+LOGIN 334+VXNlcm5hbWU6 WIN-DFQOE4PNR36 18 12 -
2021-02-17 06:00:05 87.246.7.242 SMTP-IN - our.ip.address.here 1876 RSET RSET 250+Requested+mail+action+okay,+completed WIN-DFQOE4PNR36 43 6 -
2021-02-17 06:00:05 212.70.149.71 SMTP-IN - our.ip.address.here 1228 QUIT QUIT 221+Service+closing+transmission+channel WIN-DFQOE4PNR36 42 6 stolav-gw4#ourDomain.com
2021-02-17 06:00:05 212.70.149.85 SMTP-IN - our.ip.address.here 1848 AUTH Y3Zibm0xMjM= 535+Invalid+Username+or+Password WIN-DFQOE4PNR36 34


Start using a proper DMARC record in your DNS: https://www.linuxbabe.com/mail-server/create-dmarc-record
You would probably want the reject policy probably reject: tells receiving email servers to reject the email if DMARC check fails
Might want to read all the parts on that site. I used it once to setup my mail server and it's very informative.
That IP that abuses your mail is known for doing that. My logs:
Mar 25 04:34:12 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 25 04:34:18 main postfix/smtps/smtpd[35405]: lost connection after AUTH from unknown[212.70.149.71]
Mar 25 04:34:18 main postfix/smtps/smtpd[35405]: disconnect from unknown[212.70.149.71] ehlo=1 auth=0/1 rset=1 commands=2/3
Mar 25 04:35:27 main postfix/smtps/smtpd[35405]: connect from unknown[212.70.149.71]
Mar 25 04:35:37 main postfix/smtps/smtpd[35405]: Anonymous TLS connection established from unknown[212.70.149.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 25 04:36:05 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 25 04:36:10 main postfix/smtps/smtpd[35405]: lost connection after AUTH from unknown[212.70.149.71]
Mar 25 04:36:10 main postfix/smtps/smtpd[35405]: disconnect from unknown[212.70.149.71] ehlo=1 auth=0/1 rset=1 commands=2/3
Mar 25 04:37:20 main postfix/smtps/smtpd[35405]: connect from unknown[212.70.149.71]
Mar 25 04:37:30 main postfix/smtps/smtpd[35405]: Anonymous TLS connection established from unknown[212.70.149.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 25 04:37:58 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Which is repeated many, many times. No e-mails are sent from that IP, though.
Tried blocking that IP in the firewall but that didn't seem to work :? - Would like to know why, though, so if anyone knows, would like to know!
Information about it may be on one of those pages. Not sure because it's been a while, and don't have the time myself at this precise moment to check it out.


You can use 3rd party programs;
RdpGuard detects and blocks invalid connection attempts (RDP, SMTP, POP ...) using Windows firewall
gykkSPAM (antispam filter) filters incoming and outgoing emails using local postoffices and authentication types

Related

Handshake Failed test connectivity for OpenVPN

I am trying to set up OpenVPN on Ubuntu 20.04. I'm not experienced in this area. After I set up OpenVPN, I perform test connectivity. I received handshake error message:
Sun Jul 26 05:53:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]68.228.217.219:1194
Sun Jul 26 05:53:17 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 26 05:53:17 2020 UDP link local: (not bound)
Sun Jul 26 05:53:17 2020 UDP link remote: [AF_INET]My_Public_ISP_IP:1194
Sun Jul 26 05:54:17 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jul 26 05:54:17 2020 TLS Error: TLS handshake failed
Sun Jul 26 05:54:17 2020 SIGUSR1[soft,tls-error] received, process restarting
Sun Jul 26 05:54:17 2020 Restart pause, 5 second(s)
Then I check to log
journalctl --identifier openvpn
I found two error message I believe why my OpenVPN cannot connect:
This is one of the error messages:
Could not determine IPv4/IPv6 protocol. Using AF_INET
I notice it's using my old client .conf file:
Error Message
My new .conf file is local.ovpn/
I tried removing client conf. sudo rm -vf BigK and replace it with local.ovpn. but it didnt work.
I need help figuring this issue out. i tried researching on my own but i came up short.
UPDATE
After several hours of researching online. the closet post I see helping me is this post https://unix.stackexchange.com/questions/385966/openvpn-error-status-2-and-cant-connect-to-internet-while-usingwhich didn't help.
I checked my client.conf
client
dev tun
proto udp
remote Public_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
Here is my server.conf
local IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
Here is localvpn.ovpn
client
dev tun
proto udp
remote Public_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3

I faced the same problem and didn't find any solution. I was looking for another way to connect to OpenVPN server and it helped me.
Ubuntu 20.04 has a default tool for using OpenVPN:
Settings -> Network
Click + icon on one line with the VPN title
Choose Import from file... option and select your .ovpn config file in the popup window
Click Add button and that's it
PS: I hope it will help somebody to save any hours

Facing connection reset and timeout error while sending email through sendmail via smtp. How to fix this?

i've got a problem configuring sendmail to send email through smtp.
My goal is to have the ability to send mail from a php application using smtp.
I've to migrate to a new server some old legacy php application which use the standard "mail()" php function, and i can't modify the code, so i can't just use something like "phpMailer" or "pear mail package" instead.
I've followed this guide (venice answer) sendmail: how to configure sendmail on ubuntu? , and watched many other that say the same thing...
I've already installed and configured sendmail, and it works fine for sending local mail (if i send an email to root#localhost, i receive it correctly) but not for sending "normal" email..
Every time i send an email i've got these error in the mail.log file:
Nov 26 15:38:17 compute-prod-main-2-vm sm-mta[22434]: xAQFcH3g022434: from=<Mattia#compute-prod-main-2-vm.europe-west1-b.c.fine-command-242712.in>, size=418, class=0, nrcpts=1, msgid=<201911261538.xAQFcHXA022433#compute-prod-main-2-vm.europe-west1-b.c.fine-command-242712.in>, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Nov 26 15:38:17 compute-prod-main-2-vm sendmail[22433]: xAQFcHXA022433: to=mattiabonzi#libero.it, ctladdr=Mattia (1002/1005), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30105, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (xAQFcH3g022434 Message accepted for delivery)
Nov 26 15:38:33 compute-prod-main-2-vm sendmail[22444]: xAQFcXYx022444: from=Mattia, size=80, class=0, nrcpts=1, msgid=<201911261538.xAQFcXYx022444#compute-prod-main-2-vm.europe-west1-b.c.fine-command-242712.in>, relay=root#localhost
Nov 26 15:38:33 compute-prod-main-2-vm sm-mta[22445]: xAQFcXOb022445: from=<Mattia#compute-prod-main-2-vm.europe-west1-b.c.fine-command-242712.in>, size=469, class=0, nrcpts=1, msgid=<201911261538.xAQFcXYx022444#compute-prod-main-2-vm.europe-west1-b.c.fine-command-242712.in>, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Nov 26 15:38:33 compute-prod-main-2-vm sendmail[22444]: xAQFcXYx022444: to=mattiabonzi#openworks.it, ctladdr=Mattia (1002/1005), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30080, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (xAQFcXOb022445 Message accepted for delivery)
Nov 26 15:38:37 compute-prod-main-2-vm sm-mta[21588]: xAQFXbC8021586: timeout waiting for input from authsmtp.securemail.pro during client greeting
Nov 26 15:38:37 compute-prod-main-2-vm sm-mta[21588]: xAQFXbC8021586: to=<mattiabonzi#libero.it>, delay=00:05:00, xdelay=00:05:00, mailer=relay, pri=120418, relay=authsmtp.securemail.pro [81.88.48.66], dsn=4.0.0, stat=Deferred: Connection timed out with authsmtp.securemail.pro
Nov 26 15:41:00 compute-prod-main-2-vm sm-mta[21743]: xAQFa0cV021741: timeout waiting for input from authsmtp.securemail.pro during client greeting
Nov 26 15:41:00 compute-prod-main-2-vm sm-mta[21743]: xAQFa0cV021741: to=<mattiabonzi#libero.it>, delay=00:05:00, xdelay=00:05:00, mailer=relay, pri=120418, relay=authsmtp.securemail.pro [81.88.48.66], dsn=4.0.0, stat=Deferred: Connection timed out with authsmtp.securemail.pro
Nov 26 15:42:02 compute-prod-main-2-vm sm-mta[21765]: xAQFb1PN021763: timeout waiting for input from authsmtp.securemail.pro during client greeting
Nov 26 15:42:02 compute-prod-main-2-vm sm-mta[21765]: xAQFb1PN021763: to=<mattiabonzi#libero.it>, delay=00:05:01, xdelay=00:05:01, mailer=relay, pri=120418, relay=authsmtp.securemail.pro [81.88.48.66], dsn=4.0.0, stat=Deferred: Connection timed out with authsmtp.securemail.pro
Nov 26 15:43:06 compute-prod-main-2-vm sm-mta[22415]: xAQFNe4X021461: to=<mattiabonzi#libero.it>, delay=00:19:26, xdelay=00:05:00, mailer=relay, pri=210466, relay=authsmtp.securemail.pro [81.88.48.66], dsn=4.0.0, stat=Deferred: Connection reset by authsmtp.securemail.pro
Nov 26 15:43:06 compute-prod-main-2-vm sm-mta[22415]: xAQFH7gj020614: to=<mattiabonzi#libero.it>, delay=00:25:59, xdelay=00:00:00, mailer=relay, pri=300466, relay=authsmtp.securemail.pro, dsn=4.0.0, stat=Deferred: Connection reset by authsmtp.securemail.pro
Nov 26 15:43:06 compute-prod-main-2-vm sm-mta[22415]: xAQFBfZq020461: to=<mattiabonzi#openworks.it>, delay=00:31:25, xdelay=00:00:00, mailer=relay, pri=300469, relay=authsmtp.securemail.pro, dsn=4.0.0, stat=Deferred: Connection reset by authsmtp.securemail.pro
Nov 26 15:43:06 compute-prod-main-2-vm sm-mta[22415]: xAQEkePb016232: to=<mattiabonzi#openworks.it>, delay=00:56:26, xdelay=00:00:00, mailer=relay, pri=390469, relay=authsmtp.securemail.pro, dsn=4.0.0, stat=Deferred: Connection reset by authsmtp.securemail.pro
Nov 26 15:43:06 compute-prod-main-2-vm sm-mta[22415]: xAQEkfdA016262: to=<mattiabonzi#openworks.it>, delay=00:56:25, xdelay=00:00:00, mailer=relay, pri=390469, relay=authsmtp.securemail.pro, dsn=4.0.0, stat=Deferred: Connection reset by authsmtp.securemail.pro
Nov 26 15:43:06 compute-prod-main-2-vm sm-mta[22415]: xAQEkgiG016272: to=<mattiabonzi#openworks.it>, delay=00:56:24, xdelay=00:00:00, mailer=relay, pri=390469, relay=authsmtp.securemail.pro, dsn=4.0.0, stat=Deferred: Connection reset by authsmtp.securemail.pro
Nov 26 15:43:06 compute-prod-main-2-vm sm-mta[22415]: xAQEkfEJ016252: to=<mattiabonzi#openworks.it>, delay=00:56:25, xdelay=00:00:00, mailer=relay, pri=390469, relay=authsmtp.securemail.pro, dsn=4.0.0, stat=Deferred: Connection reset by authsmtp.securemail.pro
This is what i've initialy added to the sendmail.mc file
define(`SMART_HOST',`authsmtp.securemail.pro')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
I've made some research and understood that the problem may be the port that sendmail is using for the smtp connection.
i've tried to telnet my isp and i'm able to contact it only on port 465, but i cannot find a way to change the port that sendmail is using.
I've tried to add those line, but with no luck:
define(`ESMTP_MAILER_ARGS', `TCP $h 465')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 465')dnl
I've also noticed that one antoher server that i have with sendmal instaled and propely configured is using the mailer esmtp, this installation use insted relay, is that normal?
What i'm doing wrong?
Thank yuo in advance, hope that i've listed all the relevant details.

First find more info. Force delivery retry in verbose mode with SMTP session tracking.
It provides useful hints in most cases (well above 50% based on my experience).
To push email with queue id xAQEkfEJ016252 as root execute the following command:
sendmail -v -qIxAQEkfEJ016252

Postfix possible SMTP attack and blacklist

I have plesk 12.5.30 on my server which is often blacklisted on Symantec Mail Security reputation.
The ip is new (I have purchased the server on 13.02.2017).
Also my ip is blacklisted on BACKSCATTERER.
Seeing the log of postfix I have a lot of entries like
Mar 22 14:51:43 server postfix/smtpd[14204]: connect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: lost connection after EHLO from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: disconnect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:50 server postfix/smtpd[14204]: connect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: lost connection after EHLO from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: disconnect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:52:19 server postfix/smtpd[14204]: connect from mail.dedeckeraccountants.be[91.183.46.186]
Mar 22 14:52:19 server postfix/smtpd[14204]: disconnect from mail.dedeckeraccountants.be[91.183.46.186]
I have
Changed the smtp port to a non standard one (9456)
Installed firewall and fail2ban on plesk and setted as in image
Setted mail settings of plesk as in image
Installed a spamassasin
I have noticed also that some days ago i have lines in log like these
Mar 19 06:47:00 server postfix/smtp[13517]: CCC1C510023D: to=<229e7dc3183452c7d3290d1ba28f073e#www.lablue.de>, relay=none, delay=235637, delays=235636/0.05/0.09/0, dsn=4.4.1, status=deferred (connect to www.lablue.de[217.22.195.26]:25: Connection refused)
Mar 19 06:47:00 server postfix/smtp[13503]: 7EDD55100138: to=<Weber226#brockel.kirche-rotenburg.de>, relay=kirche-rotenburg-verden.de[136.243.213.122]:25, delay=239980, delays=239979/0.01/0.35/0.1, dsn=4.0.0, status=deferred (host kirche-rotenburg-verden.de[136.243.213.122] said: 451 Temporary local problem - please try later (in reply to RCPT TO command))
Mar 19 06:47:00 server postfix/smtp[13504]: 97B055100233: to=<office#angerlehner.at>, relay=none, delay=222922, delays=222922/0.01/0.64/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=angerlehner.at type=MX: Host not found, try again)
Mar 19 06:47:00 server postfix/smtp[13509]: 1E15F510019B: host mx1.leventboru.com.tr[89.19.1.69] said: 450 4.7.1 Recipient address rejected: Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command)
And i noticed a very long mail queue in plesk settings (i have deleted all mail in queue)
Any advice to block this attack??
Thanks in advance
Edit: I want to share my plesk-postfix settings
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
There is somenthing can i improve here?

You might consider to use a Fail2Ban - filter with the following regex - expressions:
failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
If you need further Fail2Ban regex - expressions, pls. consider to ADD the corresponding log - file entries, because some general standart ones may not suit your needs or/and your qmail/postfix/imap-courier/dovecot version, installed on your server. ;-)
Edit:
In order to be more precise, I now add the full suggestion, incl. the regex, that #MattiaDiGiuseppe already used in his comments - it's just a bit better formatted this way.
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
Pls. consider to have a look at all standart filters ( for Fail2Ban 0.10 AND older versions), by visiting:
=> https://github.com/fail2ban/fail2ban/tree/0.10/config/filter.d
If you desire to view the standarts for older versions, just click on the "Branch: 0.10" dropdpwn - button, pls.

Ubuntu server sends spam (postfix)

I find out my server is sending a spam. Spam is sent by postfix server. It has large queue of emails, that are going to be sent without my help. I cant understand which script is added these emails to postfix queue.
Now I have these questions:
How to determine what script is adding mails to postfix queue?
How to clear postfix queue from spam? (all emails are spam, there are no emails sent by me)
Why reports are recieved by user123? (user123 - is ubuntu user, not original, changed by security reason)
Report from /var/mail/user123:
From MAILER-DAEMON Tue Nov 11 04:01:47 2014
Return-Path: <>
X-Original-To: user123#ubuntu
Delivered-To: user123#ubuntu
Received: by ubuntu (Postfix)
id 8F0D227364; Mon, 10 Nov 2014 15:15:52 -0500 (EST)
Date: Mon, 10 Nov 2014 15:15:52 -0500 (EST)
From: MAILER-DAEMON#ubuntu (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: user123#ubuntu
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="C0BE92ECAB.1415650552/ubuntu"
Message-Id: <20141110201552.8F0D227364#ubuntu>
This is a MIME-encapsulated message.
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
This is the mail system at host ubuntu.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<quirin.cyrille#orange.fr>: delivery temporarily suspended: host
smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c20 ME
Adresse IP source bloquee pour incident de spam. Client host blocked for
spamming issues. OFR006_102 Ref
http://csi.cloudmark.com/reset-request/?ip=74.218.214.24 [102]
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; ubuntu
X-Postfix-Queue-ID: C0BE92ECAB
X-Postfix-Sender: rfc822; user123#ubuntu
Arrival-Date: Wed, 5 Nov 2014 13:50:50 -0500 (EST)
Final-Recipient: rfc822; quirin.cyrille#orange.fr
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; delivery temporarily suspended: host
smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c20 ME
Adresse IP source bloquee pour incident de spam. Client host blocked for
spamming issues. OFR006_102 Ref
http://csi.cloudmark.com/reset-request/?ip=74.218.214.24 [102]
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Undelivered Message Headers
Content-Type: text/rfc822-headers
Return-Path: <user123#ubuntu>
Received: by ubuntu (Postfix, from userid 1006)
id C0BE92ECAB; Wed, 5 Nov 2014 13:50:50 -0500 (EST)
From: =?UTF-8?B?T25seSBDYXNpbm8=?= <only_casino#bingo-chips.us>
To: "MOIDU88480" <quirin.cyrille#orange.fr>
Subject: =?UTF-8?B?Qm9uam91ciBNT0lEVTg4NDgwLiBWZWdhcyBEYXlzIENhc2lubyAtIExhcyBWZWdhcyBzJ2ludml0ZSBjaGV6IHZvdXMgc3VyIFZlZ2FzIERheSBDYXNpbm8h?=
Content-Type: multipart/mixed; boundary="PHP-mixed-3b3472b0874837cf2218d941eec5b6d8"
Message-Id: <20141105185050.C0BE92ECAB#ubuntu>
Date: Wed, 5 Nov 2014 13:50:50 -0500 (EST)
--C0BE92ECAB.1415650552/ubuntu--
Googling gives no result.
My google search queries could be wrong, but I really need to fix this problem.
So any help is appreciated.
If I can provide more useful information please ask it in comments.
P.S. Server is hosting magento and wordpress sites.
P.S.S. 74.218.214.24 - is IP of my dedicated server, not original. It was changed in this post due to security reason.
UPDATE
Some lines from /var/log/mail.log:
Nov 9 06:40:05 u17135818 postfix/smtp[10428]: 65EDE3C718: to=<mywookie#ymail.com>, relay=mta6.am0.yahoodns.net[98.136.216.25]:25, delay=7.7, delays=7.4/0/0.19/0.06, dsn=5.7.1, status=bounced (host mta6.am0.yahoodns.net[98.136.216.25] said: 553 5.7.1 [BL21] Connections will not be accepted from 74.218.214.24, because the ip is in Spamhaus's list; see http://postmaster.yahoo.com/550-bl23.html (in reply to MAIL FROM command))
Nov 9 06:40:05 u17135818 postfix/smtp[10428]: 65EDE3C718: lost connection with mta6.am0.yahoodns.net[98.136.216.25] while sending RCPT TO
Nov 9 06:40:05 u17135818 postfix/pickup[10080]: 1338B3ED4A: uid=1006 from=<user123>
Nov 9 06:40:05 u17135818 postfix/cleanup[12998]: 1338B3ED4A: message-id=<20141109114005.1338B3ED4A#ubuntu>
Nov 9 06:40:05 u17135818 postfix/cleanup[13261]: 133D53ED54: message-id=<20141109114005.133D53ED54#ubuntu>
Nov 9 06:40:05 u17135818 postfix/smtp[10424]: DECBB27368: to=<toshiki_6#hotmail.com>, relay=mx2.hotmail.com[207.46.8.199]:25, delay=9.6, delays=9.3/0.02/0.19/0.06, dsn=5.0.0, status=bounced (host mx2.hotmail.com[207.46.8.199] said: 550 OU-002 (BAY004-MC6F11) Unfortunately, messages from 74.218.214.24 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Nov 9 06:40:05 u17135818 postfix/smtp[12030]: EFA783D645: to=<festefaen#gmail.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:4001:c08::1b]:25, delay=7.3, delays=6.6/0/0.09/0.64, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:4001:c08::1b] said: 550-5.7.1 [2607:f1c0:841:fe00::66:d8fd 12] Our system has detected that 550-5.7.1 this message is likely unsolicited mail. To reduce the amount of spam 550-5.7.1 sent to Gmail, this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. sd5si10854734igb.33 - gsmtp (in reply to end of DATA command))
...
Nov 11 04:01:54 u17135818 postfix/smtp[17765]: E01792762C: host mx1.free.fr[212.27.48.6] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command)
Nov 11 04:01:54 u17135818 postfix/smtp[17797]: 953592B312: host cluster1.eu.messagelabs.com[85.158.143.99] refused to talk to me: 450 Requested action aborted [7.2] 21614, please visit www.messagelabs.com/support for more details about this error message.
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: C7D883257C: from=<user123#ubuntu>, status=expired, returned to sender
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 0799A259AD: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 90F4332280: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 67B8B2E7C7: from=<user123#ubuntu>, status=expired, returned to sender
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 9063532F5D: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: EE4222A874: removed
Nov 11 04:01:54 u17135818 postfix/smtp[17724]: 61C22360A0: to=<lgennuso#princetonhcs.org>, relay=smtp4.princetonhcs.org[209.123.81.114]:25, delay=381492, delays=381485/5.6/0.59/0, dsn=4.5.0, status=deferred (host smtp4.princetonhcs.org[209.123.81.114] refused to talk to me: 550 5.5.0 74.218.214.24 is blacklisted by FortiGuard. This email from IP has been rejected. The email message was detected as spam.)
Nov 11 04:01:54 u17135818 postfix/smtp[17800]: 61B3A3AD2C: to=<bigboy#starbucks.org>, relay=none, delay=259892, delays=259884/2.2/5.5/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=starbucks.org type=MX: Host not found, try again)
Nov 11 04:01:54 u17135818 postfix/smtp[17787]: CD3312175D: host mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command)
Nov 11 04:01:54 u17135818 postfix/smtp[17819]: 780C624266: to=<max.charlene#aliceadsl.fr>, relay=mx1.free.fr[212.27.48.7]:25, conn_use=5, delay=227385, delays=227377/6.5/0.66/0.34, dsn=4.0.0, status=deferred (host mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command))
Nov 11 04:01:54 u17135818 postfix/smtp[17778]: CE12E26756: to=<rcataldo#laposte.net>, relay=smtpz4.laposte.net[194.117.213.1]:25, delay=133031, delays=133023/6.5/0.79/0.27, dsn=5.0.1, status=bounced (host smtpz4.laposte.net[194.117.213.1] said: 501 5.0.1 Emetteur invalide. Invalid Sender. LPN007_405 (in reply to MAIL FROM command))

It looks like one service or software triggering this mails. You can block all outgoing mails frompostfix by using the mail relaying options for external domains, this is possible if you don't want to send any mails from your machine.
You can check the maillog file inside /var/log - that will give the more details, also check the command mailq to see how many mails are pending.
Update:-
Do you allowed any of other people in your network to send mail through your machine ?, then you can suspect that case. Few things I can notice from the log is that -
The mail being rejected by the receiver end saying your public IP is flooding mails.
If these mails are coming periodically and not from any of other machines in your network, then you have to find out which process or application doing this. For that you have to use the tcpdump and monitor for the TCP packets. From that you can see that, the mail client first pushing the mail to your local postfix server, then that's being forwarded to the target mail server.
This is the way I can see to find out which application sending mails from your computer.
Hope this will help you to figure out the culprit.

Plesk/MailEnable SMTP Relay Error

I am having issues relaying SMTP emails to remote domains in MailEnable, and need some assistance identifying what exactly I am missing in the server setup.
My setup was actually working fine until yesterday when I added an SPF record to the DNS setup of the server. Then starting last night (the next time the system tried to send automated emails), the emails to remote addresses began failing. From what I can tell, I am authenticating on the inbound portion of the SMTP call, but when it tries to connect outbound to send the message to the other server it acts like I have not authenticated.
Background: This is my own server, leased from a hosting company. I have access to all settings for the site in IIS/Plesk/MailEnable. Every time my custom-written VB.NET application tries to send an email to another address on my own domain, it works fine. Every time my app tries to send the same email to an address on a remote domain, I receive an email back from POSTMASTER#mydomain.com with the following:
MailEnable: Message could not be delivered to some recipients.
The following recipient(s) could not be reached:
Recipient: [SMTP:user#otherdomain.com]
Reason: 551 This mail server requires authentication before sending mail from a locally hosted domain. Please reconfigure your mail client to authenticate before sending mail.
I have a simple VB.NET test program I have written to try to debug this:
Dim replyTo As New System.Net.Mail.MailAddress("no-reply#mydomain.com", "MyUser")
Dim subject As String = "Test subject"
Dim SendTo As String = "user#otherdomain.com"
Dim body As String = "This is the email."
Dim message As New System.Net.Mail.MailMessage
message.From = New System.Net.Mail.MailAddress("no-reply#mydomain.com", "MyUser")
message.ReplyToList.Add(replyTo)
message.BodyEncoding = System.Text.Encoding.ASCII
message.IsBodyHtml = True
message.Subject = subject
message.Bcc.Add("mydomainBCC#mydomain.com")
message.Body = body
Dim smtp As New System.Net.Mail.SmtpClient("mydomain.com")
Dim smtpCredential As System.Net.NetworkCredential = New System.Net.NetworkCredential("no-reply#mydomain.com", "password")
smtp.UseDefaultCredentials = False
smtp.Credentials = smtpCredential
smtp.Port = 587
smtp.Send(message)
In MailEnable, I have:
Activated port 587 and checked the box requiring authentication
before allowing the submission through the port. Again, the above
program works (through port 587) when I send to an address
#mydomain.com, but still fails for anything sent to #otherdomain.com.
Under the Relay tab, added entries in the "Allow relay for privileged
IP ranges" option for each of 127.0.0.1, the internal network IP
address of the server, and the external IP address of the server. (Option to allow relay for Authenticated Users was already checked and is still checked)
For completeness, here is the SPF record that was set up in the DNS yesterday:
v=spf1 a mx ipv4:75.XX.XX.XX include:_spf.google.com -all
MailEnable also created a file on the root drive of the server called SMTP-IN-TOP.TXT that logs the top count of authentications that come in, and I see all of my attempted counted in this file:
Recent Top Users Authentications During Previous Hour
no-reply#mydomain.com 4
And finally, here are the activity and debug logs from MailEnable showing one of the transaction attempts:
Activity:
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX 220 mydomain.com ESMTP MailEnable Service, Version: 7.0-- ready at 09/01/13 15:07:26 0 0
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX EHLO EHLO mydomain-web-01 250-mydomain.com [75.XX.XX.XX], this server offers 4 extensions 127 21
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX AUTH {blank} 334 UGFzc3dvcmQ6 18 41 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX AUTH d29iVFY= 235 Authenticated 19 10 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX MAIL MAIL FROM:<no-reply#mydomain.com> 250 Requested mail action okay, completed 43 34 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX RCPT RCPT TO:<adam.taylor#otherdomain.com> 250 Requested mail action okay, completed 43 36 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX RCPT RCPT TO:<mydomainBCC#mydomain.com> 250 Requested mail action okay, completed 43 34 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 no-reply#mydomain.com
09/01/13 15:07:27 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 780 50.XX.XX.XX CONN 220 recipientserver.com ESMTP MailEnable Service, Version: 6.53-- ready at 09/01/13 15:07:26 0 86
09/01/13 15:07:27 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 780 50.XX.XX.XX EHLO EHLO mydomain.com 250-recipientserver.com [75.XX.XX.XX], this server offers 4 extensions 18 127
09/01/13 15:07:27 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 780 50.XX.XX.XX MAIL MAIL FROM:<no-reply#mydomain.com> SIZE=423 551 This mail server requires authentication before sending mail from a locally hosted domain. Please reconfigure your mail client to authenticate before sending mail. 43 169
09/01/13 15:07:27 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 780 50.XX.XX.XX QUIT QUIT 221 Service closing transmission channel 6 42
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 220 mydomain.com ESMTP MailEnable Service, Version: 7.0-- ready at 09/01/13 15:07:28 0 0
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 CONN 220 mydomain.com ESMTP MailEnable Service, Version: 7.0-- ready at 09/01/13 15:07:28 0 85
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 EHLO EHLO mydomain.com 250-mydomain.com [127.0.0.1], this server offers 4 extensions 123 18
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 EHLO EHLO mydomain.com 250-mydomain.com [127.0.0.1], this server offers 4 extensions 18 123
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 MAIL MAIL FROM:<> SIZE=1052 250 Requested mail action okay, completed 43 24
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 MAIL MAIL FROM:<> SIZE=1052 250 Requested mail action okay, completed 24 43
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 RCPT RCPT TO:<no-reply#mydomain.com> 250 Requested mail action okay, completed 43 32
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 RCPT RCPT TO:<no-reply#mydomain.com> 250 Requested mail action okay, completed 32 43
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 6 46
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 DATE 250 Requested mail action okay, completed 1063 43
09/01/13 15:07:28 SMTP-IN 05D1026706304C7F941CD6348057CC71.MAI 780 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 6 42
Debug:
09/01/13 15:07:26 ME-I0135: Authenticating User:no-reply#mydomain.com using Authentication Provider Credentials
09/01/13 15:07:26 ME-I0107: [596] Relay Granted: Sender IP (75.xx.xx.xx) is within an authorized IP range.
09/01/13 15:07:26 ME-I0101: [596] Local Delivery: Address ([SMTP:mydomainBCC#mydomain.com]) is local.
09/01/13 15:07:26 ME-I0149: [596] 5300BA9154CC413AAD202DE4FBA6CB71.MAI was received successfully and delivery thread was initiated
09/01/13 15:07:26 ME-E0070: (recv) socket [596] error during [DATA] command from host 75.xx.xx.xx. Socket was disconnected - Error: (10054)
09/01/13 15:07:26 ME-I0074: [596] (Debug) End of conversation
09/01/13 15:07:27 ME-I0018: [2B8847ABCC1242EDBF3417D32DA6DB59.MAI] Outbound message from ([SMTP:no-reply#mydomain.com]) requeued as [D65C7059FE274FBCBA296953ABA4221F.MAI] to the target domain [otherdomain.com]
09/01/13 15:07:27 ME-I0123: Domain [otherdomain.com] has MX list [mail.otherdomain.com]
09/01/13 15:07:27 ME-I0026: [D65C7059FE274FBCBA296953ABA4221F.MAI] Sending message
09/01/13 15:07:27 ME-IXXXX: [D65C7059FE274FBCBA296953ABA4221F.MAI] DNS resolved to the following record: IP Address=50.XX.XX.XX, Family=2, Type=1, Protocol=6
09/01/13 15:07:27 ME-IXXXX: [D65C7059FE274FBCBA296953ABA4221F.MAI] Remote server returned a response indicating a permanent error. Server Response: (551 This mail server requires authentication before sending mail from a locally hosted domain. Please reconfigure your mail client to authenticate before sending mail.**)
09/01/13 15:07:27 ME-E0036: [D65C7059FE274FBCBA296953ABA4221F.MAI] MAIL FROM command Failed.
09/01/13 15:07:27 ME-E0008: [D65C7059FE274FBCBA296953ABA4221F.MAI] Outbound, could not send the command to the server (error 10038).
09/01/13 15:07:27 ME-E0060: [D65C7059FE274FBCBA296953ABA4221F.MAI] - Message could not be delivered to target domain (otherdomain.com). Message returned to Sender.
09/01/13 15:07:28 ME-I0119: Domain [mydomain.com] has used local loopback address [127.0.0.1] because it is hosted locally.
09/01/13 15:07:28 ME-I0026: [D65C7059FE274FBCBA296953ABA4221F.MAI] Sending message
09/01/13 15:07:28 ME-IXXXX: [D65C7059FE274FBCBA296953ABA4221F.MAI] DNS resolved to the following record: IP Address=127.0.0.1, Family=2, Type=1, Protocol=0
09/01/13 15:07:28 ME-I0101: [780] Local Delivery: Address ([SMTP:no-reply#mydomain.com]) is local.
09/01/13 15:07:28 ME-I0149: [780] 8E182A43292745538949A1160E407982.MAI was received successfully and delivery thread was initiated
09/01/13 15:07:28 ME-I0049: [D65C7059FE274FBCBA296953ABA4221F.MAI] Send Completed Successfully
09/01/13 15:07:28 ME-I0074: [780] (Debug) End of conversation

OK, found the problem. The "external" address I was using to test the problem is actually on the old server that our website was on prior to moving to this dedicated server. Apparently the site/mail setup on that server for our site was never removed once we moved off of it. So when sending and from our new server to an address still hosted on that old server, the old server interpreted the email as coming from an internal address that was not authenticated.