I am having issues relaying SMTP emails to remote domains in MailEnable, and need some assistance identifying what exactly I am missing in the server setup.
My setup was actually working fine until yesterday when I added an SPF record to the DNS setup of the server. Then starting last night (the next time the system tried to send automated emails), the emails to remote addresses began failing. From what I can tell, I am authenticating on the inbound portion of the SMTP call, but when it tries to connect outbound to send the message to the other server it acts like I have not authenticated.
Background: This is my own server, leased from a hosting company. I have access to all settings for the site in IIS/Plesk/MailEnable. Every time my custom-written VB.NET application tries to send an email to another address on my own domain, it works fine. Every time my app tries to send the same email to an address on a remote domain, I receive an email back from POSTMASTER#mydomain.com with the following:
MailEnable: Message could not be delivered to some recipients.
The following recipient(s) could not be reached:
Recipient: [SMTP:user#otherdomain.com]
Reason: 551 This mail server requires authentication before sending mail from a locally hosted domain. Please reconfigure your mail client to authenticate before sending mail.
I have a simple VB.NET test program I have written to try to debug this:
Dim replyTo As New System.Net.Mail.MailAddress("no-reply#mydomain.com", "MyUser")
Dim subject As String = "Test subject"
Dim SendTo As String = "user#otherdomain.com"
Dim body As String = "This is the email."
Dim message As New System.Net.Mail.MailMessage
message.From = New System.Net.Mail.MailAddress("no-reply#mydomain.com", "MyUser")
message.ReplyToList.Add(replyTo)
message.BodyEncoding = System.Text.Encoding.ASCII
message.IsBodyHtml = True
message.Subject = subject
message.Bcc.Add("mydomainBCC#mydomain.com")
message.Body = body
Dim smtp As New System.Net.Mail.SmtpClient("mydomain.com")
Dim smtpCredential As System.Net.NetworkCredential = New System.Net.NetworkCredential("no-reply#mydomain.com", "password")
smtp.UseDefaultCredentials = False
smtp.Credentials = smtpCredential
smtp.Port = 587
smtp.Send(message)
In MailEnable, I have:
Activated port 587 and checked the box requiring authentication
before allowing the submission through the port. Again, the above
program works (through port 587) when I send to an address
#mydomain.com, but still fails for anything sent to #otherdomain.com.
Under the Relay tab, added entries in the "Allow relay for privileged
IP ranges" option for each of 127.0.0.1, the internal network IP
address of the server, and the external IP address of the server. (Option to allow relay for Authenticated Users was already checked and is still checked)
For completeness, here is the SPF record that was set up in the DNS yesterday:
v=spf1 a mx ipv4:75.XX.XX.XX include:_spf.google.com -all
MailEnable also created a file on the root drive of the server called SMTP-IN-TOP.TXT that logs the top count of authentications that come in, and I see all of my attempted counted in this file:
Recent Top Users Authentications During Previous Hour
no-reply#mydomain.com 4
And finally, here are the activity and debug logs from MailEnable showing one of the transaction attempts:
Activity:
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX 220 mydomain.com ESMTP MailEnable Service, Version: 7.0-- ready at 09/01/13 15:07:26 0 0
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX EHLO EHLO mydomain-web-01 250-mydomain.com [75.XX.XX.XX], this server offers 4 extensions 127 21
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX AUTH {blank} 334 UGFzc3dvcmQ6 18 41 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX AUTH d29iVFY= 235 Authenticated 19 10 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX MAIL MAIL FROM:<no-reply#mydomain.com> 250 Requested mail action okay, completed 43 34 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX RCPT RCPT TO:<adam.taylor#otherdomain.com> 250 Requested mail action okay, completed 43 36 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX RCPT RCPT TO:<mydomainBCC#mydomain.com> 250 Requested mail action okay, completed 43 34 no-reply#mydomain.com
09/01/13 15:07:26 SMTP-IN 5300BA9154CC413AAD202DE4FBA6CB71.MAI 596 75.XX.XX.XX DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6 no-reply#mydomain.com
09/01/13 15:07:27 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 780 50.XX.XX.XX CONN 220 recipientserver.com ESMTP MailEnable Service, Version: 6.53-- ready at 09/01/13 15:07:26 0 86
09/01/13 15:07:27 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 780 50.XX.XX.XX EHLO EHLO mydomain.com 250-recipientserver.com [75.XX.XX.XX], this server offers 4 extensions 18 127
09/01/13 15:07:27 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 780 50.XX.XX.XX MAIL MAIL FROM:<no-reply#mydomain.com> SIZE=423 551 This mail server requires authentication before sending mail from a locally hosted domain. Please reconfigure your mail client to authenticate before sending mail. 43 169
09/01/13 15:07:27 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 780 50.XX.XX.XX QUIT QUIT 221 Service closing transmission channel 6 42
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 220 mydomain.com ESMTP MailEnable Service, Version: 7.0-- ready at 09/01/13 15:07:28 0 0
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 CONN 220 mydomain.com ESMTP MailEnable Service, Version: 7.0-- ready at 09/01/13 15:07:28 0 85
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 EHLO EHLO mydomain.com 250-mydomain.com [127.0.0.1], this server offers 4 extensions 123 18
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 EHLO EHLO mydomain.com 250-mydomain.com [127.0.0.1], this server offers 4 extensions 18 123
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 MAIL MAIL FROM:<> SIZE=1052 250 Requested mail action okay, completed 43 24
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 MAIL MAIL FROM:<> SIZE=1052 250 Requested mail action okay, completed 24 43
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 RCPT RCPT TO:<no-reply#mydomain.com> 250 Requested mail action okay, completed 43 32
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 RCPT RCPT TO:<no-reply#mydomain.com> 250 Requested mail action okay, completed 32 43
09/01/13 15:07:28 SMTP-IN 8E182A43292745538949A1160E407982.MAI 780 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 6 46
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 DATE 250 Requested mail action okay, completed 1063 43
09/01/13 15:07:28 SMTP-IN 05D1026706304C7F941CD6348057CC71.MAI 780 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
09/01/13 15:07:28 SMTP-OU D65C7059FE274FBCBA296953ABA4221F.MAI 576 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 6 42
Debug:
09/01/13 15:07:26 ME-I0135: Authenticating User:no-reply#mydomain.com using Authentication Provider Credentials
09/01/13 15:07:26 ME-I0107: [596] Relay Granted: Sender IP (75.xx.xx.xx) is within an authorized IP range.
09/01/13 15:07:26 ME-I0101: [596] Local Delivery: Address ([SMTP:mydomainBCC#mydomain.com]) is local.
09/01/13 15:07:26 ME-I0149: [596] 5300BA9154CC413AAD202DE4FBA6CB71.MAI was received successfully and delivery thread was initiated
09/01/13 15:07:26 ME-E0070: (recv) socket [596] error during [DATA] command from host 75.xx.xx.xx. Socket was disconnected - Error: (10054)
09/01/13 15:07:26 ME-I0074: [596] (Debug) End of conversation
09/01/13 15:07:27 ME-I0018: [2B8847ABCC1242EDBF3417D32DA6DB59.MAI] Outbound message from ([SMTP:no-reply#mydomain.com]) requeued as [D65C7059FE274FBCBA296953ABA4221F.MAI] to the target domain [otherdomain.com]
09/01/13 15:07:27 ME-I0123: Domain [otherdomain.com] has MX list [mail.otherdomain.com]
09/01/13 15:07:27 ME-I0026: [D65C7059FE274FBCBA296953ABA4221F.MAI] Sending message
09/01/13 15:07:27 ME-IXXXX: [D65C7059FE274FBCBA296953ABA4221F.MAI] DNS resolved to the following record: IP Address=50.XX.XX.XX, Family=2, Type=1, Protocol=6
09/01/13 15:07:27 ME-IXXXX: [D65C7059FE274FBCBA296953ABA4221F.MAI] Remote server returned a response indicating a permanent error. Server Response: (551 This mail server requires authentication before sending mail from a locally hosted domain. Please reconfigure your mail client to authenticate before sending mail.**)
09/01/13 15:07:27 ME-E0036: [D65C7059FE274FBCBA296953ABA4221F.MAI] MAIL FROM command Failed.
09/01/13 15:07:27 ME-E0008: [D65C7059FE274FBCBA296953ABA4221F.MAI] Outbound, could not send the command to the server (error 10038).
09/01/13 15:07:27 ME-E0060: [D65C7059FE274FBCBA296953ABA4221F.MAI] - Message could not be delivered to target domain (otherdomain.com). Message returned to Sender.
09/01/13 15:07:28 ME-I0119: Domain [mydomain.com] has used local loopback address [127.0.0.1] because it is hosted locally.
09/01/13 15:07:28 ME-I0026: [D65C7059FE274FBCBA296953ABA4221F.MAI] Sending message
09/01/13 15:07:28 ME-IXXXX: [D65C7059FE274FBCBA296953ABA4221F.MAI] DNS resolved to the following record: IP Address=127.0.0.1, Family=2, Type=1, Protocol=0
09/01/13 15:07:28 ME-I0101: [780] Local Delivery: Address ([SMTP:no-reply#mydomain.com]) is local.
09/01/13 15:07:28 ME-I0149: [780] 8E182A43292745538949A1160E407982.MAI was received successfully and delivery thread was initiated
09/01/13 15:07:28 ME-I0049: [D65C7059FE274FBCBA296953ABA4221F.MAI] Send Completed Successfully
09/01/13 15:07:28 ME-I0074: [780] (Debug) End of conversation
OK, found the problem. The "external" address I was using to test the problem is actually on the old server that our website was on prior to moving to this dedicated server. Apparently the site/mail setup on that server for our site was never removed once we moved off of it. So when sending and from our new server to an address still hosted on that old server, the old server interpreted the email as coming from an internal address that was not authenticated.
Related
Short version: What can be done to prevent emails being sent from our SMTP mail server using fake accounts that do not really exist in the domain?
Longer version: We use Plesk to manage our site hosted on a Windows VPS. By enabling SMTP logging on MailEnable, I notice that a lot of emails are being sent with accounts that do not exist in the domain. I reproduce below a small portion of the log. Here stolav-gw4#ourDomain.com, tango#ourDomain.com are accounts that do not exist in our domain. What can be done to prevent such emails from being sent?
Things I have already tried and haven't stopped these:
I already have set the SPF record entry. The entry is: v=spf1 a mx -all
I have changed all the passwords. That hasn't helped.
I have enabled DKIM
I ran the following virus/malware detectors and they found nothing: VirusTotal Website Check, MSERT.exe from Microsoft, MSRT.exe from Microsoft
2021-02-17 06:00:02 212.70.149.71 SMTP-IN - our.ip.address.here 1228 AUTH {blank} 334+UGFzc3dvcmQ6 WIN-DFQOE4PNR36 18 38 stolav-gw4#ourDomain.com
2021-02-17 06:00:03 212.70.149.71 SMTP-IN - 104.128.234.235 1296 RSET RSET 250+Requested+mail+action+okay,+completed WIN-DFQOE4PNR36 43 6 -
2021-02-17 06:00:03 212.70.149.85 SMTP-IN - 104.128.234.235 1448 QUIT QUIT 221+Service+closing+transmission+channel WIN-DFQOE4PNR36 42 6 tango#ourDomain.com
2021-02-17 06:00:04 87.246.7.242 SMTP-IN - our.ip.address.here 1876 EHLO EHLO+User 250-ourDomain.com+[87.246.7.242],+this+server+offers+5+extensions WIN-DFQOE4PNR36 242 11 -
2021-02-17 06:00:04 212.70.149.85 SMTP-IN - our.ip.address.here 1848 AUTH {blank} 334+UGFzc3dvcmQ6 WIN-DFQOE4PNR36 18 34 tango#ourDomain.com
2021-02-17 06:00:04 212.70.149.71 SMTP-IN - our.ip.address.here 1228 AUTH c3RvbGF2LWd3NEAxMjM= 535+Invalid+Username+or+Password WIN-DFQOE4PNR36 34 22 stolav-gw4#ourDomain.com
2021-02-17 06:00:04 212.70.149.71 SMTP-IN - 104.128.234.235 1296 AUTH AUTH+LOGIN 334+VXNlcm5hbWU6 WIN-DFQOE4PNR36 18 12 -
2021-02-17 06:00:05 87.246.7.242 SMTP-IN - our.ip.address.here 1876 RSET RSET 250+Requested+mail+action+okay,+completed WIN-DFQOE4PNR36 43 6 -
2021-02-17 06:00:05 212.70.149.71 SMTP-IN - our.ip.address.here 1228 QUIT QUIT 221+Service+closing+transmission+channel WIN-DFQOE4PNR36 42 6 stolav-gw4#ourDomain.com
2021-02-17 06:00:05 212.70.149.85 SMTP-IN - our.ip.address.here 1848 AUTH Y3Zibm0xMjM= 535+Invalid+Username+or+Password WIN-DFQOE4PNR36 34
Start using a proper DMARC record in your DNS: https://www.linuxbabe.com/mail-server/create-dmarc-record
You would probably want the reject policy probably reject: tells receiving email servers to reject the email if DMARC check fails
Might want to read all the parts on that site. I used it once to setup my mail server and it's very informative.
That IP that abuses your mail is known for doing that. My logs:
Mar 25 04:34:12 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 25 04:34:18 main postfix/smtps/smtpd[35405]: lost connection after AUTH from unknown[212.70.149.71]
Mar 25 04:34:18 main postfix/smtps/smtpd[35405]: disconnect from unknown[212.70.149.71] ehlo=1 auth=0/1 rset=1 commands=2/3
Mar 25 04:35:27 main postfix/smtps/smtpd[35405]: connect from unknown[212.70.149.71]
Mar 25 04:35:37 main postfix/smtps/smtpd[35405]: Anonymous TLS connection established from unknown[212.70.149.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 25 04:36:05 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 25 04:36:10 main postfix/smtps/smtpd[35405]: lost connection after AUTH from unknown[212.70.149.71]
Mar 25 04:36:10 main postfix/smtps/smtpd[35405]: disconnect from unknown[212.70.149.71] ehlo=1 auth=0/1 rset=1 commands=2/3
Mar 25 04:37:20 main postfix/smtps/smtpd[35405]: connect from unknown[212.70.149.71]
Mar 25 04:37:30 main postfix/smtps/smtpd[35405]: Anonymous TLS connection established from unknown[212.70.149.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 25 04:37:58 main postfix/smtps/smtpd[35405]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Which is repeated many, many times. No e-mails are sent from that IP, though.
Tried blocking that IP in the firewall but that didn't seem to work :? - Would like to know why, though, so if anyone knows, would like to know!
Information about it may be on one of those pages. Not sure because it's been a while, and don't have the time myself at this precise moment to check it out.
You can use 3rd party programs;
RdpGuard detects and blocks invalid connection attempts (RDP, SMTP, POP ...) using Windows firewall
gykkSPAM (antispam filter) filters incoming and outgoing emails using local postoffices and authentication types
I have a small texting service that is not blacklisted by cloudmark barracuda nor 100+ other respected anti-spam entities yet after roughly 1000 deliveries to vzwpix.com domain possible grey list happening? Also have exim.pl and exim.conf randomize 3 IP's for outgoing delivery only. SPF and DKIM correct through all IPs for reputation status. I searched for 2 weeks little to find last resort contact cloudfilter aka cloudmark. Thanx for your inputs not a huge deal at the moment.
PS: IP Reputation status clear since May 17'
Connecting to smtpin01-mms.vzw.a.cloudfilter.net [52.205.80.105]:25 from my.mailserver.ip.address ... connected
SMTP<< 220 vzw-ibgw-5003a.stratus.cloudmark.com cmsmtp ESMTP server ready
SMTP>> EHLO mail.mydomain.com
SMTP<< 250-vzw-ibgw-5003a.stratus.cloudmark.com hello [my.mailserver.ip.address], pleased to meet you
250-HELP
250-SIZE 30000000
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-STARTTLS
250 OK
SMTP>> STARTTLS
SMTP<< 220 2.0.0 Ready to start TLS
SMTP>> EHLO mail.mydomain.com
SMTP<< 250-vzw-ibgw-5003a.stratus.cloudmark.com hello [my.mailserver.ip.address], pleased to meet you
250-HELP
250-SIZE 30000000
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 OK
SMTP>> MAIL FROM:<customer#mydomain.com> SIZE=1946
SMTP<< 452 4.1.0 <customer#mydomain.com> requested action aborted: try again later
LOG: MAIN
SMTP error from remote mail server after MAIL FROM:<customer#mydomain.com> SIZE=1946: 452 4.1.0 <customer#mydomain.com> requested action aborted: try again later
SMTP>> QUIT
SMTP(close)>>
I have plesk 12.5.30 on my server which is often blacklisted on Symantec Mail Security reputation.
The ip is new (I have purchased the server on 13.02.2017).
Also my ip is blacklisted on BACKSCATTERER.
Seeing the log of postfix I have a lot of entries like
Mar 22 14:51:43 server postfix/smtpd[14204]: connect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: lost connection after EHLO from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: disconnect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:50 server postfix/smtpd[14204]: connect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: lost connection after EHLO from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: disconnect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:52:19 server postfix/smtpd[14204]: connect from mail.dedeckeraccountants.be[91.183.46.186]
Mar 22 14:52:19 server postfix/smtpd[14204]: disconnect from mail.dedeckeraccountants.be[91.183.46.186]
I have
Changed the smtp port to a non standard one (9456)
Installed firewall and fail2ban on plesk and setted as in image
Setted mail settings of plesk as in image
Installed a spamassasin
I have noticed also that some days ago i have lines in log like these
Mar 19 06:47:00 server postfix/smtp[13517]: CCC1C510023D: to=<229e7dc3183452c7d3290d1ba28f073e#www.lablue.de>, relay=none, delay=235637, delays=235636/0.05/0.09/0, dsn=4.4.1, status=deferred (connect to www.lablue.de[217.22.195.26]:25: Connection refused)
Mar 19 06:47:00 server postfix/smtp[13503]: 7EDD55100138: to=<Weber226#brockel.kirche-rotenburg.de>, relay=kirche-rotenburg-verden.de[136.243.213.122]:25, delay=239980, delays=239979/0.01/0.35/0.1, dsn=4.0.0, status=deferred (host kirche-rotenburg-verden.de[136.243.213.122] said: 451 Temporary local problem - please try later (in reply to RCPT TO command))
Mar 19 06:47:00 server postfix/smtp[13504]: 97B055100233: to=<office#angerlehner.at>, relay=none, delay=222922, delays=222922/0.01/0.64/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=angerlehner.at type=MX: Host not found, try again)
Mar 19 06:47:00 server postfix/smtp[13509]: 1E15F510019B: host mx1.leventboru.com.tr[89.19.1.69] said: 450 4.7.1 Recipient address rejected: Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command)
And i noticed a very long mail queue in plesk settings (i have deleted all mail in queue)
Any advice to block this attack??
Thanks in advance
Edit: I want to share my plesk-postfix settings
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
There is somenthing can i improve here?
You might consider to use a Fail2Ban - filter with the following regex - expressions:
failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
If you need further Fail2Ban regex - expressions, pls. consider to ADD the corresponding log - file entries, because some general standart ones may not suit your needs or/and your qmail/postfix/imap-courier/dovecot version, installed on your server. ;-)
Edit:
In order to be more precise, I now add the full suggestion, incl. the regex, that #MattiaDiGiuseppe already used in his comments - it's just a bit better formatted this way.
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
Pls. consider to have a look at all standart filters ( for Fail2Ban 0.10 AND older versions), by visiting:
=> https://github.com/fail2ban/fail2ban/tree/0.10/config/filter.d
If you desire to view the standarts for older versions, just click on the "Branch: 0.10" dropdpwn - button, pls.
I find out my server is sending a spam. Spam is sent by postfix server. It has large queue of emails, that are going to be sent without my help. I cant understand which script is added these emails to postfix queue.
Now I have these questions:
How to determine what script is adding mails to postfix queue?
How to clear postfix queue from spam? (all emails are spam, there are no emails sent by me)
Why reports are recieved by user123? (user123 - is ubuntu user, not original, changed by security reason)
Report from /var/mail/user123:
From MAILER-DAEMON Tue Nov 11 04:01:47 2014
Return-Path: <>
X-Original-To: user123#ubuntu
Delivered-To: user123#ubuntu
Received: by ubuntu (Postfix)
id 8F0D227364; Mon, 10 Nov 2014 15:15:52 -0500 (EST)
Date: Mon, 10 Nov 2014 15:15:52 -0500 (EST)
From: MAILER-DAEMON#ubuntu (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: user123#ubuntu
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="C0BE92ECAB.1415650552/ubuntu"
Message-Id: <20141110201552.8F0D227364#ubuntu>
This is a MIME-encapsulated message.
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
This is the mail system at host ubuntu.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<quirin.cyrille#orange.fr>: delivery temporarily suspended: host
smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c20 ME
Adresse IP source bloquee pour incident de spam. Client host blocked for
spamming issues. OFR006_102 Ref
http://csi.cloudmark.com/reset-request/?ip=74.218.214.24 [102]
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; ubuntu
X-Postfix-Queue-ID: C0BE92ECAB
X-Postfix-Sender: rfc822; user123#ubuntu
Arrival-Date: Wed, 5 Nov 2014 13:50:50 -0500 (EST)
Final-Recipient: rfc822; quirin.cyrille#orange.fr
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; delivery temporarily suspended: host
smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c20 ME
Adresse IP source bloquee pour incident de spam. Client host blocked for
spamming issues. OFR006_102 Ref
http://csi.cloudmark.com/reset-request/?ip=74.218.214.24 [102]
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Undelivered Message Headers
Content-Type: text/rfc822-headers
Return-Path: <user123#ubuntu>
Received: by ubuntu (Postfix, from userid 1006)
id C0BE92ECAB; Wed, 5 Nov 2014 13:50:50 -0500 (EST)
From: =?UTF-8?B?T25seSBDYXNpbm8=?= <only_casino#bingo-chips.us>
To: "MOIDU88480" <quirin.cyrille#orange.fr>
Subject: =?UTF-8?B?Qm9uam91ciBNT0lEVTg4NDgwLiBWZWdhcyBEYXlzIENhc2lubyAtIExhcyBWZWdhcyBzJ2ludml0ZSBjaGV6IHZvdXMgc3VyIFZlZ2FzIERheSBDYXNpbm8h?=
Content-Type: multipart/mixed; boundary="PHP-mixed-3b3472b0874837cf2218d941eec5b6d8"
Message-Id: <20141105185050.C0BE92ECAB#ubuntu>
Date: Wed, 5 Nov 2014 13:50:50 -0500 (EST)
--C0BE92ECAB.1415650552/ubuntu--
Googling gives no result.
My google search queries could be wrong, but I really need to fix this problem.
So any help is appreciated.
If I can provide more useful information please ask it in comments.
P.S. Server is hosting magento and wordpress sites.
P.S.S. 74.218.214.24 - is IP of my dedicated server, not original. It was changed in this post due to security reason.
UPDATE
Some lines from /var/log/mail.log:
Nov 9 06:40:05 u17135818 postfix/smtp[10428]: 65EDE3C718: to=<mywookie#ymail.com>, relay=mta6.am0.yahoodns.net[98.136.216.25]:25, delay=7.7, delays=7.4/0/0.19/0.06, dsn=5.7.1, status=bounced (host mta6.am0.yahoodns.net[98.136.216.25] said: 553 5.7.1 [BL21] Connections will not be accepted from 74.218.214.24, because the ip is in Spamhaus's list; see http://postmaster.yahoo.com/550-bl23.html (in reply to MAIL FROM command))
Nov 9 06:40:05 u17135818 postfix/smtp[10428]: 65EDE3C718: lost connection with mta6.am0.yahoodns.net[98.136.216.25] while sending RCPT TO
Nov 9 06:40:05 u17135818 postfix/pickup[10080]: 1338B3ED4A: uid=1006 from=<user123>
Nov 9 06:40:05 u17135818 postfix/cleanup[12998]: 1338B3ED4A: message-id=<20141109114005.1338B3ED4A#ubuntu>
Nov 9 06:40:05 u17135818 postfix/cleanup[13261]: 133D53ED54: message-id=<20141109114005.133D53ED54#ubuntu>
Nov 9 06:40:05 u17135818 postfix/smtp[10424]: DECBB27368: to=<toshiki_6#hotmail.com>, relay=mx2.hotmail.com[207.46.8.199]:25, delay=9.6, delays=9.3/0.02/0.19/0.06, dsn=5.0.0, status=bounced (host mx2.hotmail.com[207.46.8.199] said: 550 OU-002 (BAY004-MC6F11) Unfortunately, messages from 74.218.214.24 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Nov 9 06:40:05 u17135818 postfix/smtp[12030]: EFA783D645: to=<festefaen#gmail.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:4001:c08::1b]:25, delay=7.3, delays=6.6/0/0.09/0.64, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:4001:c08::1b] said: 550-5.7.1 [2607:f1c0:841:fe00::66:d8fd 12] Our system has detected that 550-5.7.1 this message is likely unsolicited mail. To reduce the amount of spam 550-5.7.1 sent to Gmail, this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. sd5si10854734igb.33 - gsmtp (in reply to end of DATA command))
...
Nov 11 04:01:54 u17135818 postfix/smtp[17765]: E01792762C: host mx1.free.fr[212.27.48.6] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command)
Nov 11 04:01:54 u17135818 postfix/smtp[17797]: 953592B312: host cluster1.eu.messagelabs.com[85.158.143.99] refused to talk to me: 450 Requested action aborted [7.2] 21614, please visit www.messagelabs.com/support for more details about this error message.
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: C7D883257C: from=<user123#ubuntu>, status=expired, returned to sender
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 0799A259AD: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 90F4332280: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 67B8B2E7C7: from=<user123#ubuntu>, status=expired, returned to sender
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 9063532F5D: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: EE4222A874: removed
Nov 11 04:01:54 u17135818 postfix/smtp[17724]: 61C22360A0: to=<lgennuso#princetonhcs.org>, relay=smtp4.princetonhcs.org[209.123.81.114]:25, delay=381492, delays=381485/5.6/0.59/0, dsn=4.5.0, status=deferred (host smtp4.princetonhcs.org[209.123.81.114] refused to talk to me: 550 5.5.0 74.218.214.24 is blacklisted by FortiGuard. This email from IP has been rejected. The email message was detected as spam.)
Nov 11 04:01:54 u17135818 postfix/smtp[17800]: 61B3A3AD2C: to=<bigboy#starbucks.org>, relay=none, delay=259892, delays=259884/2.2/5.5/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=starbucks.org type=MX: Host not found, try again)
Nov 11 04:01:54 u17135818 postfix/smtp[17787]: CD3312175D: host mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command)
Nov 11 04:01:54 u17135818 postfix/smtp[17819]: 780C624266: to=<max.charlene#aliceadsl.fr>, relay=mx1.free.fr[212.27.48.7]:25, conn_use=5, delay=227385, delays=227377/6.5/0.66/0.34, dsn=4.0.0, status=deferred (host mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command))
Nov 11 04:01:54 u17135818 postfix/smtp[17778]: CE12E26756: to=<rcataldo#laposte.net>, relay=smtpz4.laposte.net[194.117.213.1]:25, delay=133031, delays=133023/6.5/0.79/0.27, dsn=5.0.1, status=bounced (host smtpz4.laposte.net[194.117.213.1] said: 501 5.0.1 Emetteur invalide. Invalid Sender. LPN007_405 (in reply to MAIL FROM command))
It looks like one service or software triggering this mails. You can block all outgoing mails frompostfix by using the mail relaying options for external domains, this is possible if you don't want to send any mails from your machine.
You can check the maillog file inside /var/log - that will give the more details, also check the command mailq to see how many mails are pending.
Update:-
Do you allowed any of other people in your network to send mail through your machine ?, then you can suspect that case. Few things I can notice from the log is that -
The mail being rejected by the receiver end saying your public IP is flooding mails.
If these mails are coming periodically and not from any of other machines in your network, then you have to find out which process or application doing this. For that you have to use the tcpdump and monitor for the TCP packets. From that you can see that, the mail client first pushing the mail to your local postfix server, then that's being forwarded to the target mail server.
This is the way I can see to find out which application sending mails from your computer.
Hope this will help you to figure out the culprit.
I have setup JAMES email server on my local windows system. Now I am trying to send mail to my yahoo account but I am getting the following error
13/11/10 12:39:56 INFO James.Mailet: RemoteAddrNotInNetwork: Authorized addresses: [127.0.0.1/255.255.255.255, 0.0.0.0/255.255.255.255, 192.168.2.0/255.255.255.0]
13/11/10 12:39:56 INFO James.Mailet: RemoteDelivery: maxRetries is larger than total number of attempts specified. Increasing last delayTime with 19 attempts
13/11/10 12:39:56 INFO James.Mailet: RemoteDelivery: Delay of 21600000 msecs is now attempted: 20 times
13/11/10 12:40:04 INFO James.Mailet: RemoteDelivery: Attempting delivery of Mail1289631302656-0-to-yahoo.co.in to host mx1.mail.in.yahoo.com. at 180.222.96.138 for addresses [abhilash#yahoo.co.in]
13/11/10 12:40:04 INFO James.Mailet: RemoteDelivery: Could not connect to SMTP host: 180.222.96.138, port: 25, response: 553
13/11/10 12:40:04 INFO James.Mailet: RemoteDelivery: Temporary exception delivering mail (Mail1289631302656-0-to-yahoo.co.in:
13/11/10 12:40:04 INFO James.Mailet: RemoteDelivery: Storing message Mail1289631302656-0-to-yahoo.co.in into outgoing after 0 retries
As per the FAQs most probably I have some problem configuring my DNS server. So what I should set my DNS server to - my system's internal IP, my router's IP, my public IP. I'm confused. Any suggestions kindly share.
In the startguide of JAMES it is said:
Determine the DNS server to use. On Windows, type ipconfig /all and look for the DNS servers. On Unix, look at /etc/resolv.conf. You will need this information in step #9.
https://wiki.apache.org/james/JamesQuickstart