Why did Squirrelmail, Dovecot/IMAP & Outbound mail break?
Help! I need some seasoned advice please.
We're running the OldStable version of Debian Etch from August 2008. We've been using squirrelmail connecting through Dovecot's Imap and Pop3 servers since then to provide either SSH or TLS/SSL connections to postfix mail via squirrelmail on our server. Although the SSL capability is installed, we're really not using it -- choosing to use SSH with strong passwords instead.
This configuration has given us NO problems since we started... until today. For unexplained reasons this morning the IMAP interface suddenly began refusing or failing connections to everyone trying to connect through SquirrelMail (or that's the way it looks from the outside). It also fails to send out any emails. I've tried rebooting the server but that made almost no difference.
The problem was first reported by a user. I then verified it. What I was seeing BEFORE the reboot when I tried to login was an error from SquirrelMail that said:
Error connecting to IMAP server: myserver.com.
but what I'm seeing since the server reboot is:
Error connecting to IMAP server: myserver.com.
The IMAP server connect problem seems to be isolated to SquirrelMail. At least I ran 2 tests and found I CAN connect to the IMAP server using both Microsoft Outlook 2003 and Outlook Express and can see the contents of all folders on the server. So the IMAP problem only shows up in SquirrelMail. But it DOES prevent ANY users from loggin in through SquirrelMail
However, the inability to send mail OUT from the server shows up everywhere. Mail sent internally between accounts on the server -- either within a single domain or between domains -- and even from remote users connected to the server through Outlook or Outlook express gets delivered fine. But email addressed to anyone outside the server to any domain -- whether Yahoo or or MSN or Google or whereever is all bouncing back with a "relay request denied" error.
For instance, I sent an email from one of my server accounts to my yahoo inbox and it bounced back.
Other things I've tried are:
checked port status with
both port 443 and 993 are reported as open -- one with imap and the other with imaps.
I restarted inetd. It had no effect.
I restarted postfix. It had no effect.
I restarted the whole server. The IMAP login error code when attempting to login via SquirrelMail changed 11074 to 11087. That's all. All other behaviors remain the same.
I also confirmed the SquirrelMail login failure problem occurs in IE 7, IE 8 and Firefox from 3 different machines in multiple geo-locations and networks AND both with and without the user's local firewall running. So the issue is definitely ON the server and seems to be isolated to squirrelmail even though no changes have been made to squirrelmail or any of its components in months.
When I checked the mail.err log, I found the following series of seemingly useless error messages:
Are you using Maildir or mbox? What's the output of
Are there any errors in your mail log?
Can you check if your server has been blacklisted? http://mxtoolbox.com/blacklists.aspx
Second, here's the result of that ls -la /var/mail/ command
How's that again? How is it possible for the server's IP address to be listed as a spam source if all domains on the server are innocent? As is common these days, all domains on the server do share the same IP address.
As you saw, I checked the mail error log and did find some issues there - although I couldn't make heads nor tails out of what they were telling me. I have not checked the mail log yet. I'll do that and see what I find. I admit though that I'm not sure exactly what to look for there.
For the record, I watch emails and email bounces on this server pretty close and I DO see some email bounces I can't explain which purport to be bouncing emails from sites I KNOW aren't sending those emails. I control all domains on the server. I KNOW what emails are sent out by those domains and the email loads aren't heavy, Frankly, the number of weird bounces I've seen hasn't been large enough to be a big concern to me or produce a full scale investigation into how those emails are happening to begin with. I'm very aggressive about trying to keep spammers and click-phishers out of the two sets of forums hosted on our server... manually reviewing and approving all join requests, and running queries every day that are designed to identify and remove the dozens of bots that try to register in those forums daily.
In short, I'm using every standard technique I know of to prevent server hacking -- ssh-secured logins, hard-to-guess usernames, strong and hard to guess 12 - 25 character passwords, limited telnet/putty access, limited email accounts, etc. But I'll admit I'm NOT using IPTables. I couldn't see the benefit to that. What the heck can an outsider do with a port that's not being used by the server? Or conversely, if the port is being used for outgoing smtp mail, I don't see why it's a security concern? I don't mean to seem stupid or ignorant here. But I don't get it. What am I missing?
Still, I want to STOP the blasted spam as much as anyone else does. So, I'll gladly listen to suggestions on how to further tighten security on my server... and how to chase down, isolate and kill the source of those unexplained outbound emails. I'm NOT averse to fighting the spam wars. I'm just not sure how to isolate and kill the mysterious sources of "how-the-heck-did-that-happen?" spam that seems to occur on many servers despite the best efforts of the admins to stop it. Like most server admins, I do have my limits. I can't spend my whole life to fighting spam either.
One more piece to the puzzle...
I just realized there is another possibly-relevant piece to this puzzle.
There is a single domain on this server for which I host a mailman mailing list. When I first moved that site and its list to my server a couple of years ago it was receiving a huge load of junk mail every hour of evey day. Worse yet the inbound email address most of the spam was being sent to was the same one the mailman list had long been hooked to.
So, when I installed mailman, I configured it to only accept mail from known list members and configured things so the server would bounce all mail that wasn't accepted by mailman back to the sender. Later I realized that this so-called junk mail "back-scatter" was an issue that caused some Black lists to rate the server poorly. So, I changed that bounce solution to accept all such mail and deliver it to >null instead.
As far as I know, it's still operating that way on that mailman domain. That approach shouldn't cause a black-list problem, should it?
|All times are GMT +2. The time now is 21:42.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.