I have plesk 12.5.30 on my server which is often blacklisted on Symantec Mail Security reputation.
The ip is new (I have purchased the server on 13.02.2017).
Also my ip is blacklisted on BACKSCATTERER.
Seeing the log of postfix I have a lot of entries like
Mar 22 14:51:43 server postfix/smtpd[14204]: connect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: lost connection after EHLO from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: disconnect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:50 server postfix/smtpd[14204]: connect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: lost connection after EHLO from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: disconnect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:52:19 server postfix/smtpd[14204]: connect from mail.dedeckeraccountants.be[91.183.46.186]
Mar 22 14:52:19 server postfix/smtpd[14204]: disconnect from mail.dedeckeraccountants.be[91.183.46.186]
I have
Changed the smtp port to a non standard one (9456)
Installed firewall and fail2ban on plesk and setted as in image
Setted mail settings of plesk as in image
Installed a spamassasin
I have noticed also that some days ago i have lines in log like these
Mar 19 06:47:00 server postfix/smtp[13517]: CCC1C510023D: to=<229e7dc3183452c7d3290d1ba28f073e#www.lablue.de>, relay=none, delay=235637, delays=235636/0.05/0.09/0, dsn=4.4.1, status=deferred (connect to www.lablue.de[217.22.195.26]:25: Connection refused)
Mar 19 06:47:00 server postfix/smtp[13503]: 7EDD55100138: to=<Weber226#brockel.kirche-rotenburg.de>, relay=kirche-rotenburg-verden.de[136.243.213.122]:25, delay=239980, delays=239979/0.01/0.35/0.1, dsn=4.0.0, status=deferred (host kirche-rotenburg-verden.de[136.243.213.122] said: 451 Temporary local problem - please try later (in reply to RCPT TO command))
Mar 19 06:47:00 server postfix/smtp[13504]: 97B055100233: to=<office#angerlehner.at>, relay=none, delay=222922, delays=222922/0.01/0.64/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=angerlehner.at type=MX: Host not found, try again)
Mar 19 06:47:00 server postfix/smtp[13509]: 1E15F510019B: host mx1.leventboru.com.tr[89.19.1.69] said: 450 4.7.1 Recipient address rejected: Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command)
And i noticed a very long mail queue in plesk settings (i have deleted all mail in queue)
Any advice to block this attack??
Thanks in advance
Edit: I want to share my plesk-postfix settings
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
There is somenthing can i improve here?
You might consider to use a Fail2Ban - filter with the following regex - expressions:
failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
If you need further Fail2Ban regex - expressions, pls. consider to ADD the corresponding log - file entries, because some general standart ones may not suit your needs or/and your qmail/postfix/imap-courier/dovecot version, installed on your server. ;-)
Edit:
In order to be more precise, I now add the full suggestion, incl. the regex, that #MattiaDiGiuseppe already used in his comments - it's just a bit better formatted this way.
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
Pls. consider to have a look at all standart filters ( for Fail2Ban 0.10 AND older versions), by visiting:
=> https://github.com/fail2ban/fail2ban/tree/0.10/config/filter.d
If you desire to view the standarts for older versions, just click on the "Branch: 0.10" dropdpwn - button, pls.
Related
I have a site running on my computer using Apache 2.4 which I can easily access by using my local ipv4 address and respective port 80. The port 80 is bound to port 22*** using portmap.io and is configured with OpenVpn/tcp on my computer.I have allowed access to Apache HTTP server and Apache Server Monitor through the firewall.I have also increased keepAlive timeout in apche server to 600s, max connections.i have Listen 80 and LISTEN 22*** and ServerName as http://awm-22***.portmap.host:22*** in my httpd.conf file.You can look into for more options here.Apache handler configuration
I am using PHP as backend language.
Since the port 80 is bound to port 22470, whenever I try access my site from another device(which also uses the same wifi network as the computer running the server) using the local ipv4 address of my computer(which is running the server) and port 80 i.e
192.168..:80, it automatically redirects the browser to 192.168..:22*** and I can access my site with no difficuty. Access log in apcache server:
192.168.**.** - - [15/Dec/2022:10:08:02 +0530] "GET /abc%20xyz%20klm/ HTTP/1.1" 200 12049
192.168.**.** - - [15/Dec/2022:10:08:02 +0530] "GET /SPR/b/get_captcha.php?rand=29842778 HTTP/1.1" 200 4057
But when I try access the same site from another device(which also uses the same wifi network as the computer running the server) using the ipv4 address provided by OpenVpn to my computer(which is running the server):10.9..* and port 80 i.e 10.9..*:80, it shows TOOK TOO LONG TO RESPPOND error on the browser.But the browser's header has the following:
http://10.9.**.**4:22470/abc%20xyz%20klm/
Then why is it not loading the page. No log in apache access log file.
When I try access the same site from another device(which also uses the same wifi network as the computer running the server) using the url provided to me by portmap.io i.e: http://awm-22***.portmap.host:22***/,
The server takes too long to respond error is shown in the browser.
Access log in apcache server:
10.9.0.1 - - [15/Dec/2022:10:21:33 +0530] "GET / HTTP/1.0" 302 -
10.9.0.1 - - [15/Dec/2022:10:21:34 +0530] "GET /abc%20xyz%20klm HTTP/1.0" 301 256
OpenVpn Log:
Thu Dec 15 10:32:30 2022 SIGHUP[hard,] received, process restarting
Thu Dec 15 10:32:30 2022 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Thu Dec 15 10:32:30 2022 OpenVPN 2.5.7 [git:release/2.5/3d792ae9557b959e] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2022
Thu Dec 15 10:32:30 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Thu Dec 15 10:32:30 2022 library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10
Thu Dec 15 10:32:35 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]193.161.193.99:1194
Thu Dec 15 10:32:35 2022 Attempting to establish TCP connection with [AF_INET]193.161.193.99:1194 [nonblock]
Thu Dec 15 10:32:35 2022 TCP connection established with [AF_INET]193.161.193.99:1194
Thu Dec 15 10:32:35 2022 TCP_CLIENT link local: (not bound)
Thu Dec 15 10:32:35 2022 TCP_CLIENT link remote: [AF_INET]193.161.193.99:1194
Thu Dec 15 10:32:41 2022 [193.161.193.99] Peer Connection Initiated with [AF_INET]193.161.193.99:1194
Thu Dec 15 10:32:42 2022 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Thu Dec 15 10:32:42 2022 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Thu Dec 15 10:32:42 2022 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Thu Dec 15 10:32:42 2022 open_tun
Thu Dec 15 10:32:42 2022 tap-windows6 device [OpenVPN TAP-Windows6] opened
Thu Dec 15 10:32:42 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.9.**.234/255.255.255.252 on interface {798F492A-574C-4BC6-87C5-A62C6D058EC1} [DHCP-serv: 10.9.**.233, lease-time: 31536000]
Thu Dec 15 10:32:42 2022 Successful ARP Flush on interface [12] {798F492A-574C-4BC6-87C5-A62C6D058EC1}
Thu Dec 15 10:32:42 2022 IPv4 MTU set to 1500 on interface 12 using service
These are my firewall rules:
Inbound rules
Inbound rule for Port 80 Outbound rules
Firewall monitoring Domain and Private Profiles
Firewall monitoring Public Profile
What is causing the problem? Any solution will be of great help. Thanks in advance.
I am trying to set up OpenVPN on Ubuntu 20.04. I'm not experienced in this area. After I set up OpenVPN, I perform test connectivity. I received handshake error message:
Sun Jul 26 05:53:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]68.228.217.219:1194
Sun Jul 26 05:53:17 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 26 05:53:17 2020 UDP link local: (not bound)
Sun Jul 26 05:53:17 2020 UDP link remote: [AF_INET]My_Public_ISP_IP:1194
Sun Jul 26 05:54:17 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jul 26 05:54:17 2020 TLS Error: TLS handshake failed
Sun Jul 26 05:54:17 2020 SIGUSR1[soft,tls-error] received, process restarting
Sun Jul 26 05:54:17 2020 Restart pause, 5 second(s)
Then I check to log
journalctl --identifier openvpn
I found two error message I believe why my OpenVPN cannot connect:
This is one of the error messages:
Could not determine IPv4/IPv6 protocol. Using AF_INET
I notice it's using my old client .conf file:
Error Message
My new .conf file is local.ovpn/
I tried removing client conf. sudo rm -vf BigK and replace it with local.ovpn. but it didnt work.
I need help figuring this issue out. i tried researching on my own but i came up short.
UPDATE
After several hours of researching online. the closet post I see helping me is this post https://unix.stackexchange.com/questions/385966/openvpn-error-status-2-and-cant-connect-to-internet-while-usingwhich didn't help.
I checked my client.conf
client
dev tun
proto udp
remote Public_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
Here is my server.conf
local IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
Here is localvpn.ovpn
client
dev tun
proto udp
remote Public_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
I faced the same problem and didn't find any solution. I was looking for another way to connect to OpenVPN server and it helped me.
Ubuntu 20.04 has a default tool for using OpenVPN:
Settings -> Network
Click + icon on one line with the VPN title
Choose Import from file... option and select your .ovpn config file in the popup window
Click Add button and that's it
PS: I hope it will help somebody to save any hours
Good day!
After installing and running kolab letters delivered instantly. But after a few days letters to local destinations have become delivered with a delay. Over time, they are delivered, but the delay may be several hours. An example of the path of the letter:
root#myhost:~# cat /var/log/mail.log | grep 7AA7935B1FC
Jan 12 11:31:03 myhost postfix/smtpd[19494]: 7AA7935B1FC:
client=localhost[127.0.0.1]
Jan 12 11:31:05 myhost postfix/cleanup[19492]: 7AA7935B1FC:
message-id=<20160112093103.7AA7935B1FC#mail.myhost.com>
Jan 12 11:31:05 myhost postfix/qmgr[7021]: 7AA7935B1FC:
from=<noreply#myhost.com>, size=1279, nrcpt=3 (queue active)
Jan 12 11:31:05 myhost lmtpunix[19631]: Delivered:
<20160112093103.7AA7935B1FC#mail.myhost.com> to mailbox:
myhost.com!user.user1
Jan 12 11:31:06 myhost postfix/lmtp[19617]: 7AA7935B1FC: to=<user1#myhost.com>, relay=mail.myhost.com[/var/lib/imap/socket/lmtp], delay=2.6, delays=2/0.01/0/0.59, dsn=4.3.0, status=deferred (host
mail.myhost.com[/var/lib/imap/socket/lmtp] said: 421 4.3.0 lmtpd:
failed to mmap /var/lib/imap/deliver.db.NEW file (in reply to end of
DATA command))
Jan 12 11:31:06 myhost postfix/lmtp[19617]: 7AA7935B1FC: to=<user2#myhost.com>, relay=mail.myhost.com[/var/lib/imap/socket/lmtp], delay=2.7, delays=2/0.01/0/0.68, dsn=4.4.2, status=deferred (lost connection with mail.myhost.com[/var/lib/imap/socket/lmtp] while sending end of data
-- message may be sent more than once
Jan 12 11:31:07 myhost postfix/lmtp[19617]: 7AA7935B1FC: to=<user3#myhost.com>, relay=mail.myhost.com[/var/lib/imap/socket/lmtp], delay=2.7, delays=2/0.01/0/0.68, dsn=4.4.2, status=deferred (lost connection with mail.myhost.com[/var/lib/imap/socket/lmtp] while sending end of data
-- message may be sent more than once)
Currently mailq features a variety of messages in queue. An example of one of these:
7BBDF35B123 6162 Tue Jan 12 13:19:24 user#rambler.ru (delivery temporarily suspended: lost connection with mail.myhost.com[/var/lib/imap/socket/lmtp] while sending end of data -- message may be sent more than once) user4#myhost.com
-- 11667 Kbytes in 327 Requests.
I think that the main reason is described here:
lmtp: failed to mmap /var/lib/imap/deliver.db.NEW file
But, unfortunately, not been able to find a solution.
The problem was solved according to this recommendation: http://lists.kolab.org/pipermail/users-de/2015-May/001998.html
Stop Services cyrus-imap and postfix
Delete files deliver.db.NEW and deliver.db in the directory /var/lib/imap/
Start the services and the file deliver.db is automatically created
Restart the queue: postsuper -r ALL
Some of the letters delivered from the queue again.
Proposed cause: after installing and start services on the new server users download messages en masse in the format *.eml, downloaded from the last post. Perhaps these actions somehow overflowed index files.
P.S.: Unfortunately, the solution was temporary: the situation described above is repeated periodically :(
I find out my server is sending a spam. Spam is sent by postfix server. It has large queue of emails, that are going to be sent without my help. I cant understand which script is added these emails to postfix queue.
Now I have these questions:
How to determine what script is adding mails to postfix queue?
How to clear postfix queue from spam? (all emails are spam, there are no emails sent by me)
Why reports are recieved by user123? (user123 - is ubuntu user, not original, changed by security reason)
Report from /var/mail/user123:
From MAILER-DAEMON Tue Nov 11 04:01:47 2014
Return-Path: <>
X-Original-To: user123#ubuntu
Delivered-To: user123#ubuntu
Received: by ubuntu (Postfix)
id 8F0D227364; Mon, 10 Nov 2014 15:15:52 -0500 (EST)
Date: Mon, 10 Nov 2014 15:15:52 -0500 (EST)
From: MAILER-DAEMON#ubuntu (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: user123#ubuntu
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="C0BE92ECAB.1415650552/ubuntu"
Message-Id: <20141110201552.8F0D227364#ubuntu>
This is a MIME-encapsulated message.
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
This is the mail system at host ubuntu.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<quirin.cyrille#orange.fr>: delivery temporarily suspended: host
smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c20 ME
Adresse IP source bloquee pour incident de spam. Client host blocked for
spamming issues. OFR006_102 Ref
http://csi.cloudmark.com/reset-request/?ip=74.218.214.24 [102]
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; ubuntu
X-Postfix-Queue-ID: C0BE92ECAB
X-Postfix-Sender: rfc822; user123#ubuntu
Arrival-Date: Wed, 5 Nov 2014 13:50:50 -0500 (EST)
Final-Recipient: rfc822; quirin.cyrille#orange.fr
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; delivery temporarily suspended: host
smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c20 ME
Adresse IP source bloquee pour incident de spam. Client host blocked for
spamming issues. OFR006_102 Ref
http://csi.cloudmark.com/reset-request/?ip=74.218.214.24 [102]
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Undelivered Message Headers
Content-Type: text/rfc822-headers
Return-Path: <user123#ubuntu>
Received: by ubuntu (Postfix, from userid 1006)
id C0BE92ECAB; Wed, 5 Nov 2014 13:50:50 -0500 (EST)
From: =?UTF-8?B?T25seSBDYXNpbm8=?= <only_casino#bingo-chips.us>
To: "MOIDU88480" <quirin.cyrille#orange.fr>
Subject: =?UTF-8?B?Qm9uam91ciBNT0lEVTg4NDgwLiBWZWdhcyBEYXlzIENhc2lubyAtIExhcyBWZWdhcyBzJ2ludml0ZSBjaGV6IHZvdXMgc3VyIFZlZ2FzIERheSBDYXNpbm8h?=
Content-Type: multipart/mixed; boundary="PHP-mixed-3b3472b0874837cf2218d941eec5b6d8"
Message-Id: <20141105185050.C0BE92ECAB#ubuntu>
Date: Wed, 5 Nov 2014 13:50:50 -0500 (EST)
--C0BE92ECAB.1415650552/ubuntu--
Googling gives no result.
My google search queries could be wrong, but I really need to fix this problem.
So any help is appreciated.
If I can provide more useful information please ask it in comments.
P.S. Server is hosting magento and wordpress sites.
P.S.S. 74.218.214.24 - is IP of my dedicated server, not original. It was changed in this post due to security reason.
UPDATE
Some lines from /var/log/mail.log:
Nov 9 06:40:05 u17135818 postfix/smtp[10428]: 65EDE3C718: to=<mywookie#ymail.com>, relay=mta6.am0.yahoodns.net[98.136.216.25]:25, delay=7.7, delays=7.4/0/0.19/0.06, dsn=5.7.1, status=bounced (host mta6.am0.yahoodns.net[98.136.216.25] said: 553 5.7.1 [BL21] Connections will not be accepted from 74.218.214.24, because the ip is in Spamhaus's list; see http://postmaster.yahoo.com/550-bl23.html (in reply to MAIL FROM command))
Nov 9 06:40:05 u17135818 postfix/smtp[10428]: 65EDE3C718: lost connection with mta6.am0.yahoodns.net[98.136.216.25] while sending RCPT TO
Nov 9 06:40:05 u17135818 postfix/pickup[10080]: 1338B3ED4A: uid=1006 from=<user123>
Nov 9 06:40:05 u17135818 postfix/cleanup[12998]: 1338B3ED4A: message-id=<20141109114005.1338B3ED4A#ubuntu>
Nov 9 06:40:05 u17135818 postfix/cleanup[13261]: 133D53ED54: message-id=<20141109114005.133D53ED54#ubuntu>
Nov 9 06:40:05 u17135818 postfix/smtp[10424]: DECBB27368: to=<toshiki_6#hotmail.com>, relay=mx2.hotmail.com[207.46.8.199]:25, delay=9.6, delays=9.3/0.02/0.19/0.06, dsn=5.0.0, status=bounced (host mx2.hotmail.com[207.46.8.199] said: 550 OU-002 (BAY004-MC6F11) Unfortunately, messages from 74.218.214.24 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Nov 9 06:40:05 u17135818 postfix/smtp[12030]: EFA783D645: to=<festefaen#gmail.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:4001:c08::1b]:25, delay=7.3, delays=6.6/0/0.09/0.64, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:4001:c08::1b] said: 550-5.7.1 [2607:f1c0:841:fe00::66:d8fd 12] Our system has detected that 550-5.7.1 this message is likely unsolicited mail. To reduce the amount of spam 550-5.7.1 sent to Gmail, this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. sd5si10854734igb.33 - gsmtp (in reply to end of DATA command))
...
Nov 11 04:01:54 u17135818 postfix/smtp[17765]: E01792762C: host mx1.free.fr[212.27.48.6] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command)
Nov 11 04:01:54 u17135818 postfix/smtp[17797]: 953592B312: host cluster1.eu.messagelabs.com[85.158.143.99] refused to talk to me: 450 Requested action aborted [7.2] 21614, please visit www.messagelabs.com/support for more details about this error message.
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: C7D883257C: from=<user123#ubuntu>, status=expired, returned to sender
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 0799A259AD: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 90F4332280: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 67B8B2E7C7: from=<user123#ubuntu>, status=expired, returned to sender
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 9063532F5D: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: EE4222A874: removed
Nov 11 04:01:54 u17135818 postfix/smtp[17724]: 61C22360A0: to=<lgennuso#princetonhcs.org>, relay=smtp4.princetonhcs.org[209.123.81.114]:25, delay=381492, delays=381485/5.6/0.59/0, dsn=4.5.0, status=deferred (host smtp4.princetonhcs.org[209.123.81.114] refused to talk to me: 550 5.5.0 74.218.214.24 is blacklisted by FortiGuard. This email from IP has been rejected. The email message was detected as spam.)
Nov 11 04:01:54 u17135818 postfix/smtp[17800]: 61B3A3AD2C: to=<bigboy#starbucks.org>, relay=none, delay=259892, delays=259884/2.2/5.5/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=starbucks.org type=MX: Host not found, try again)
Nov 11 04:01:54 u17135818 postfix/smtp[17787]: CD3312175D: host mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command)
Nov 11 04:01:54 u17135818 postfix/smtp[17819]: 780C624266: to=<max.charlene#aliceadsl.fr>, relay=mx1.free.fr[212.27.48.7]:25, conn_use=5, delay=227385, delays=227377/6.5/0.66/0.34, dsn=4.0.0, status=deferred (host mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command))
Nov 11 04:01:54 u17135818 postfix/smtp[17778]: CE12E26756: to=<rcataldo#laposte.net>, relay=smtpz4.laposte.net[194.117.213.1]:25, delay=133031, delays=133023/6.5/0.79/0.27, dsn=5.0.1, status=bounced (host smtpz4.laposte.net[194.117.213.1] said: 501 5.0.1 Emetteur invalide. Invalid Sender. LPN007_405 (in reply to MAIL FROM command))
It looks like one service or software triggering this mails. You can block all outgoing mails frompostfix by using the mail relaying options for external domains, this is possible if you don't want to send any mails from your machine.
You can check the maillog file inside /var/log - that will give the more details, also check the command mailq to see how many mails are pending.
Update:-
Do you allowed any of other people in your network to send mail through your machine ?, then you can suspect that case. Few things I can notice from the log is that -
The mail being rejected by the receiver end saying your public IP is flooding mails.
If these mails are coming periodically and not from any of other machines in your network, then you have to find out which process or application doing this. For that you have to use the tcpdump and monitor for the TCP packets. From that you can see that, the mail client first pushing the mail to your local postfix server, then that's being forwarded to the target mail server.
This is the way I can see to find out which application sending mails from your computer.
Hope this will help you to figure out the culprit.
In context with the title i have the following setup:
I own a hostname, lets say: my_hostname.com
The A record of my_hostname.com points to my home ip using dynamic dns, lets say: 50.50.50.50
My home router forwards ports to my homeserver: 80 & 22
the MX records of my_hostame.com point to: my_personal_hash.pamx1.hotmail.com
Within this outlook account i have a subaccount: my_name#my_hostname.com
and this all works great, i can use my_hostname.com to ssh to my homeserver, use my own webinterface and receive mail on my_name#my_hostname.com on the servers from microsoft which always has one online.
But now the following:
my homeserver generates local mail. This with the use of crontab and people trying to guess my sudo password (just people at my place so not such a big deal). This is all placed in var/mail/my_name and i'm trying to forward these mails to my_name#my_hostname.com with postfix. (i have also tried my_name#google.com) but it all fails to get my mail out.
I know that my mail is probably rejected because i use a home server to send mail but how do i get around this.
This is my /etc/postfix/main.cf file:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = my_hostname.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8, 192.168.1.0/30
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all
default_transport = error
relay_transport = error
virtual_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual-regexp
In virtual-regexp is a forward to one of both tried mail addresses. after sending a test mail with "mail send" to my_name#localhost, the /var/log/mail.info generates the folowing:
Jan 7 18:44:47 homeserver postfix/pickup[7729]: 707C111FDEA: uid=0 from=<root>
Jan 7 18:44:47 homeserver postfix/cleanup[7960]: 707C111FDEA: message-id= <20140107174447.707C111FDEA#my_hostname.com>
Jan 7 18:44:47 homeserver postfix/qmgr[3769]: 707C111FDEA: from= <root#homeserver.my_hostname.com>, size=329, nrcpt=2 (queue active)
Jan 7 18:44:47 homeserver postfix/error[7962]: 707C111FDEA: to= <my_name#my_hostname.com>, orig_to=<my_name#localhost>, relay=none, delay=0.06, delays=0.04/0/0/0.02, dsn=5.0.0, status=bounced (my_hostname.com)
Jan 7 18:44:47 homeserver postfix/error[7962]: 707C111FDEA: to= <my_name#my_hostname.com>, orig_to=<make>, relay=none, delay=0.07, delays=0.04/0/0/0.03, dsn=5.0.0, status=bounced (my_hostname.com)
Jan 7 18:44:47 homeserver postfix/cleanup[7960]: 805CB11FDF6: message-id=<20140107174447.805CB11FDF6#my_hostname.com>
Jan 7 18:44:47 homeserver postfix/bounce[7963]: 707C111FDEA: sender non-delivery notification: 805CB11FDF6
Jan 7 18:44:47 homeserver postfix/qmgr[3769]: 805CB11FDF6: from=<>, size=2359, nrcpt=1 (queue active)
Jan 7 18:44:47 homeserver postfix/qmgr[3769]: 707C111FDEA: removed
Jan 7 18:44:47 homeserver postfix/error[7962]: 805CB11FDF6: to=<my_name#my_hostname.com>, orig_to=<root#homeserver.my_hostname.com>, relay=none, delay=0.05, delays=0.03/0/0/0.02, dsn=5.0.0, status=bounced (my_hostname.com)
Jan 7 18:44:47 homeserver postfix/qmgr[3769]: 805CB11FDF6: removed
What major mistake am i making and how do i get my internal generated mail into my webmail?
Ok, so with some research I found my answer.
To start, I made two mistakes. The first one was actually pretty obvious after looking everything over a few times. Just by removing:
default_transport = error
relay_transport = error
The first problem was solved but then i was left with:
Jan 8 10:13:55 homeserver postfix/smtp[12914]: B62C311FE09: to=<my_name#gmail.com>, orig_to=<my_name#localhost>, relay=none, delay=1588, delays=1438/0.01/150/0, dsn=4.4.1, status=deferred (connect to alt4.gmail-smtp-in.l.google.com[174.193.63.25]:25: Connection timed out)
when i was forwarding to my gmail account. Also forwarding to my_name#my_domain.com generated the connection time out.
After googling around, I found in this topic that my ISP might be blocking outgoing port 25 traffic. This can be verified using:
telnet aspmx.l.google.com 25
if it does not generate Connected to aspmx.l.google.com but a timeout after half a minute or so than your ISP is blocking your outgoing traffic. {don't forget installing telnet before using it ;) }.
And this was my second problem. Luckily I broke my neck less hard by solving this one.
By redirecting through a secure connection using port 587 I was able to send mail. To do this I used this post and a new google account for my server. I am not going to retype the whole post so just click it and read it if it finds your interest. I also removed the virtual-regexp file and linker to be compatible.
Now I send mail from my home server through my_server_name#gmail.com to my_name#my_hostname.com through port 587 and it all works great!
Jan 8 12:09:28 homeserver postfix/smtp[14135]: 6402811FE19: to=<my_name#my_hostname.com>, orig_to=<my_name#localhost>, relay=smtp.gmail.com[173.194.65.109]:587, delay=7063, delays=7061/0.04/0.58/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1389179378 v7sm188296448eel.2 - gsmtp)
I'm so happy :)
Please vote up if this helped you of any kind.