HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Lots of deferred mails - backscatter? (http://www.howtoforge.com/forums/showthread.php?t=61290)

arraken 4th April 2013 14:46

Lots of deferred mails - backscatter?
 
Hi,

I recently had an SMTP AUTH relay attack, on my mail-server, which i solved as described in this thread: http://www.howtoforge.com/forums/sho...331#post295331

I am however still getting a high amount of deferred e-mails, but it's not a spam-flood anymore. They are rather just "trickling" in - a few mails per minute. The reason seems to be different from before, maybe it's backscatter? (someone sends spam mail with a faked sender with a domain that is hosted on my server -> my server get's the deferred messages).

when i type "qshape deferred" i get the following output:



Code:

T  5 10 20 40 80 160 320 640 1280 1280+
TOTAL 2443  0  0 36 18 38 136 287 460 1468    0
DomainOnMyServer 2424  0  0 36 17 38 136 284 455 1458    0
usamail.com  15  0  0  0  1  0  0  3  4    7    0
example.com    2  0  0  0  0  0  0  0  1    1    0
aol.com    1  0  0  0  0  0  0  0  0    1    0
duck-calls.net    1  0  0  0  0  0  0  0  0    1    0

when i grep my mail.log for "deferred" i get lots of lines like this:

Code:

Apr  4 12:07:02 server1 postfix/pipe[30294]: 181E12134114: to=<homesteadspeered@DomainOnMyServer.at>, orig_to=<homesteadspeered@OtherDomainOnMyServer.at>, relay=maildrop, delay=25686, delays=25684/1.5/0/1.1, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/homesteadspeered/31248.0.server1.  )
Apr  4 12:07:02 server1 postfix/pipe[30755]: D82401FBE607: to=<bernhard.tucek@DomainOnMyServer.at>, orig_to=<bernhard.tucek@OtherDomainOnMyServer.at>, relay=maildrop, delay=38377, delays=38374/0.54/0/2.2, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/bernhard.tucek/30995.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30308]: 2286A1FBE380: to=<muscovyjanna@DomainOnMyServer.at>, orig_to=<muscovyjanna@OtherDomainOnMyServer.at>, relay=maildrop, delay=50730, delays=50726/0.12/0/3.4, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/muscovyjanna/30578.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30478]: 02A421FBE362: to=<muscovyjanna@DomainOnMyServer.at>, orig_to=<muscovyjanna@OtherDomainOnMyServer.at>, relay=maildrop, delay=50921, delays=50918/3.4/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/muscovyjanna/31394.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30012]: 2286A1FBE380: to=<n.steixner@DomainOnMyServer.at>, orig_to=<n.steixner@OtherDomainOnMyServer.at>, relay=maildrop, delay=50730, delays=50726/1.1/0/2.8, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/n.steixner/31132.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30159]: 2286A1FBE380: to=<n.kurz@DomainOnMyServer.at>, orig_to=<n.kurz@OtherDomainOnMyServer.at>, relay=maildrop, delay=50731, delays=50726/0.13/0/4.2, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/n.kurz/30594.0.server1.  )

The mailboxes to which the deferred mails are addressed do not exist on my server - but the domains are hosted on it. I obviously have no problem with the mails being deferred, but i wanted to know if this is standard behaviour for postfix, or should i be worried?

My deferred queue is getting filled up by this, so isn't there a possibility to just bounce those mails?

arraken 5th April 2013 12:17

Ok, i have looked into the problem some more, and found out that it's not backscatter after all.

The problem is this: Regular spam mail is sent to my server to some random addresses. The domain of the recipient of the mail is hosted on my server, but the mailbox does not exist.

Example: randomblabla123@domainOnMyServer.com

Normally i think this mail should just be bounced, but instead it is placed in the deferred queue. Because the domain gets lots of spam, the deferred queue fills up over time.

So my question is: How can i bounce mail that has an invalid recipient, instead of putting it in the deferred queue?

Here is an example of a deferred mail, which sould be bounced, taken from my mail.log with "cat /var/log/mail.log | grep 208401FBE28F"

Code:

Apr  5 11:33:36 server1 postfix/smtpd[3240]: 208401FBE28F: client=localhost[127.0.0.1]
Apr  5 11:33:36 server1 postfix/cleanup[9757]: 208401FBE28F: message-id=<8831100462.V72J0A8X259818@DomainOnMyServer.at>
Apr  5 11:33:36 server1 postfix/qmgr[3930]: 208401FBE28F: from=<actionedyg7@google.com>, size=2094, nrcpt=1 (queue active)
Apr  5 11:33:36 server1 amavis[10827]: (10827-11) Passed SPAMMY, [2.176.244.156] [2.176.244.156] <actionedyg7@google.com> -> <wintgen@DomainOnMyServer.at>, Message-ID: <8831100462.V72J0A8X259818@DomainOnMyServer.at>, mail_id: XJtN3LKSUg5z, Hits: 14.574, size: 1276, queued_as: 208401FBE28F, 405 ms
Apr  5 11:33:36 server1 postfix/smtp[9989]: 8F1C81FBE27F: to=<wintgen@DomainOnMyServer.at>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.7, delays=5.3/0/0/0.41, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10827-11, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 208401FBE28F)
Apr  5 11:33:36 server1 postfix/pipe[11414]: 208401FBE28F: to=<wintgen@anotherDomainOnMyServer.at>, orig_to=<wintgen@DomainOnMyServer.at>, relay=maildrop, delay=0.13, delays=0.12/0/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/anotherDomainOnMyServer.at/wintgen/11907.0.server1.  )

As you can see, the mail get's sent to "@domainOnMyServer.at", and then gets relayed to "@anotherDomainOnMyServer.at", where it finally get's deferred. The relay happens because i have a mail alias in ISPConfig from domainOnMyServer.at to anotherDomainOnMyServer.at

As far as i found out, all mail that lands in the deferred queue follows this pattern. It get's sent to the first domain, then relayed to the second domain, and there it get's deferred with the Message :

"status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/anotherDomainOnMyServer.at/wintgenwintgen/14080.0.server1."

I thought "local_recipient_maps" and "relay_recipient_maps" should handle that such mail should get bounced, and not deferred, but may it be that the alias for the whole domain screws something up here?

I whould be thankful for any help or insight into this.

cheers

falko 5th April 2013 20:24

You can try this: http://www.faqforge.com/linux/enhanc...n-ispconfig-3/

arraken 6th April 2013 13:50

thanks falko!

there is still some mail landing in the deferred queue that i think should just bounce instead, but after following the instructions from your link, the number of them has decreased a lot (around 100 deferred mails in queue), so i think i can just leave it at that.

cheers


All times are GMT +2. The time now is 21:55.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.