HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   ISPConfig 3 Priority Support (http://www.howtoforge.com/forums/forumdisplay.php?f=35)
-   -   mail stopped working (http://www.howtoforge.com/forums/showthread.php?t=61883)

JESUSSAVES 18th May 2013 22:40

mail stopped working
 
Hi,

I've a Squeeze Perfect Server installation with Bind Dovecot and Apache2.
After the above installation I installed Roundcube and everything was working fine.

I installed a secure certificate recently with StartSSL using that how-to.

It seems my own mail is no longer working, nor is anyone elses.

I've noticed that under Monitor I do have several requests in the mail queue for the last several days only.

There is nothing in mail.err log.

Every hour root gets mail from cron saying ispconfig/server/server.sh with a warning: "There is no public key available for the following key id: xxxxx"

I actual have a directory that's gone missing, where I keep my individual daily database backups. Not sure how that happened. I'm the only one with root password, but I haven't changed the password for a while.

I would like to get mail working again but not sure where to look.

Any help would be greatly appreciated.

Thank you.

till 20th May 2013 16:24

Please take a look into the mail.log file in /var/log/ folder and post the errors that you get there. Most likely a wrong or no key file is installed for the ssl cert in postfix and /or dovecot.

JESUSSAVES 20th May 2013 18:27

mail.log errors
 
Till, thank you for your help.

I created a mail account for a site that had none. Then sent from my Outlook account an email to it. Also I signed into the new account in Roundcube an saw my welcome message. I sent an email to my outlook account from Roundcube. That was at 10:55 and 10:56 respectively.

Since then the mail.log has been ablaze with activity about my email attempts.
So far the mail has not been delivered in either direction.

Also under /var/mail/ the expected new user record was not created, webnn.

Also I did a netstat -tapn and dovecot is listed but not postfix.

Here is the output from mail.log, but I don't see "errors".
Code:

May 20 11:00:01 ns01 dovecot: pop3-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:00:01 ns01 dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:00:01 ns01 postfix/smtpd[21174]: connect from localhost.localdomain[127.0.0.1]
May 20 11:00:01 ns01 postfix/smtpd[21174]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
May 20 11:00:01 ns01 postfix/smtpd[21174]: disconnect from localhost.localdomain[127.0.0.1]
May 20 11:00:03 ns01 postfix/pickup[19522]: 3597B140086: uid=0 from=<root>
May 20 11:00:03 ns01 postfix/cleanup[21209]: 3597B140086: message-id=<20130520150003.3597B140086@ns01.delcowebhosting.com>
May 20 11:00:03 ns01 postfix/qmgr[2270]: 3597B140086: from=<root@ns01.delcowebhosting.com>, size=668, nrcpt=1 (queue active)
May 20 11:00:03 ns01 postfix/smtpd[21214]: connect from localhost.localdomain[127.0.0.1]
May 20 11:00:03 ns01 postfix/smtpd[21214]: AAE95140084: client=localhost.localdomain[127.0.0.1]
May 20 11:00:03 ns01 postfix/cleanup[21209]: AAE95140084: message-id=<20130520150003.3597B140086@ns01.delcowebhosting.com>
May 20 11:00:03 ns01 postfix/qmgr[2270]: AAE95140084: from=<root@ns01.delcowebhosting.com>, size=1179, nrcpt=1 (queue active)
May 20 11:00:03 ns01 postfix/smtpd[21214]: disconnect from localhost.localdomain[127.0.0.1]
May 20 11:00:03 ns01 amavis[30509]: (30509-07) Passed CLEAN, <root@ns01.delcowebhosting.com> -> <root@ns01.delcowebhosting.com>, Message-ID: <20130520150003.3597B140086@ns01.delcowebhosting.com>, mail_id: sw82TKn3JRmX, Hits: -0.001, size: 668, queued_as: AAE95140084, 485 ms
May 20 11:00:03 ns01 postfix/smtp[21211]: 3597B140086: to=<root@ns01.delcowebhosting.com>, orig_to=<root>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.57, delays=0.08/0/0/0.49, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=30509-07, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AAE95140084)
May 20 11:00:03 ns01 postfix/qmgr[2270]: 3597B140086: removed
May 20 11:00:03 ns01 postfix/local[21215]: AAE95140084: to=<administrator@ns01.delcowebhosting.com>, orig_to=<root@ns01.delcowebhosting.com>, relay=local, delay=0.08, delays=0.04/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
May 20 11:00:03 ns01 postfix/qmgr[2270]: AAE95140084: removed
May 20 11:00:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:00:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:01:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:01:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:02:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:02:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:03:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:03:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:04:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:04:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:05:01 ns01 dovecot: pop3-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:05:01 ns01 dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:05:01 ns01 postfix/smtpd[21287]: connect from localhost.localdomain[127.0.0.1]
May 20 11:05:01 ns01 postfix/smtpd[21287]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
May 20 11:05:01 ns01 postfix/smtpd[21287]: disconnect from localhost.localdomain[127.0.0.1]
May 20 11:05:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:05:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:06:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:06:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:07:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:07:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:08:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:08:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:09:13 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:09:13 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251
May 20 11:10:01 ns01 dovecot: pop3-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:10:01 ns01 dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:10:01 ns01 postfix/smtpd[21387]: connect from localhost.localdomain[127.0.0.1]
May 20 11:10:01 ns01 postfix/smtpd[21387]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
May 20 11:10:01 ns01 postfix/smtpd[21387]: disconnect from localhost.localdomain[127.0.0.1]
May 20 11:10:07 ns01 postfix/master[2263]: terminating on signal 15
May 20 11:10:08 ns01 postfix/master[21509]: daemon started -- version 2.7.1, configuration /etc/postfix
May 20 11:10:12 ns01 dovecot: imap-login: Login: user=<info@lightningflatscreenmounting.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
May 20 11:10:12 ns01 dovecot: IMAP(info@lightningflatscreenmounting.com): Disconnected: Logged out bytes=166/1251


till 21st May 2013 11:06

The welcome message indicates that the local mailsystem is working correctly. To test if its a local issue or a remote issue, please login to roundcube, then send a email to the same address that you used for the roundcube login. It should be visible in the inbox within 1-2 minutes.

JESUSSAVES 21st May 2013 14:59

local test results
 
Till, thank you again for your response and help.

Yes, you are right the mail was delivered to the same account that sent it in less than 1 minute.

I'm quite sure that my system has been hacked and I'm wondering if fail2ban is working properly. I remember, it may have been when I was running Fedora not sure, but I used to get messages to root mail all day long about IP addresses being banned. I don't get them anymore. I'm wondering if fail2ban is working properly? I've copied the log from Monitor and pasted it below.

Code:

Data from: 2013-05-21 11:45
2013-05-19 06:25:06,756 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-05-19 06:25:06,941 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2013-05-19 06:25:07,780 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2013-05-19 06:25:07,942 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2013-05-19 06:25:08,075 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2013-05-19 06:26:02,126 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2013-05-19 06:26:05,837 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2013-05-19 06:51:52,500 fail2ban.actions: WARNING [ssh] Ban 61.156.238.56
2013-05-19 07:01:53,164 fail2ban.actions: WARNING [ssh] Unban 61.156.238.56
2013-05-19 19:35:48,397 fail2ban.actions: WARNING [ssh] Ban 114.80.202.30
2013-05-19 19:45:49,062 fail2ban.actions: WARNING [ssh] Unban 114.80.202.30
2013-05-19 21:53:11,384 fail2ban.actions: WARNING [ssh] Ban 210.6.26.45
2013-05-19 22:03:12,050 fail2ban.actions: WARNING [ssh] Unban 210.6.26.45
2013-05-20 06:25:06,061 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2013-05-20 08:46:45,089 fail2ban.actions: WARNING [ssh] Ban 31.3.245.178
2013-05-20 08:56:45,751 fail2ban.actions: WARNING [ssh] Unban 31.3.245.178
2013-05-20 10:52:42,341 fail2ban.actions: WARNING [ssh] Ban 61.35.191.245
2013-05-20 11:02:43,002 fail2ban.actions: WARNING [ssh] Unban 61.35.191.245
2013-05-20 17:04:08,649 fail2ban.actions: WARNING [ssh] Ban 61.35.191.245
2013-05-20 17:14:09,314 fail2ban.actions: WARNING [ssh] Unban 61.35.191.245
2013-05-21 01:58:28,699 fail2ban.actions: WARNING [ssh] Ban 103.3.79.83
2013-05-21 02:08:29,362 fail2ban.actions: WARNING [ssh] Unban 103.3.79.83
2013-05-21 06:25:05,813 fail2ban.filter : INFO Log rotation detected for /var/log/syslog


till 21st May 2013 15:07

Quote:

Yes, you are right the mail was delivered to the same account that sent it in less than 1 minute.
Ok, thats good.

So the eror might be one of the following problems:

- Your server blocks external mail connections:

Please post the output of:

iptables -L

and

netstat -tap

- Your internet access provider which provides the internet connection to yourserver blocks port 25 or there is a router between the server and the internet whcih blocks port 25.
- There is a dns problem, e.g. the MX record does not point to the server. Test the dns record(s) of the domain with e.g. intodns:

http://www.intodns.com/

Quote:

I'm quite sure that my system has been hacked and I'm wondering if fail2ban is working properly.
The Ban / Unban messages indicate that fail2ban is working correctly, at least for SSH.

If you wnat to test it for other services you will have to use e.g. a mail client (not webmail) or a external FTP client and enter a wrong password more then 5 times.

If you think that the system has been hacked, then you should check it with rkhunter:

rkhunter --update

and then

rkhunter -c

The most important part is if there are any rootkits found. In the first part which checks the binaries you will most likely see some false positives.

JESUSSAVES 21st May 2013 15:58

table results
 
Till, thanks again for your response and help with this.

Here are the results:

iptables -L

Code:


Chain INPUT (policy ACCEPT)
target    prot opt source              destination
fail2ban-ssh  tcp  --  anywhere            anywhere            multiport dports ssh
fail2ban-pureftpd  tcp  --  anywhere            anywhere            multiport dports ftp
fail2ban-dovecot-pop3imap  tcp  --  anywhere            anywhere            multiport dports pop3,pop3s,imap2,imaps

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Chain fail2ban-dovecot-pop3imap (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-pureftpd (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-ssh (1 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

netstat -tap

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 *:mysql                *:*                    LISTEN      1748/mysqld
tcp        0      0 *:submission            *:*                    LISTEN      24159/master
tcp        0      0 *:pop3                  *:*                    LISTEN      2276/dovecot
tcp        0      0 *:imap2                *:*                    LISTEN      2276/dovecot
tcp        0      0 *:sunrpc                *:*                    LISTEN      1059/portmap
tcp        0      0 *:ssmtp                *:*                    LISTEN      24159/master
tcp        0      0 *:ftp                  *:*                    LISTEN      2235/pure-ftpd (SER
tcp        0      0 ns01.delcowebhos:domain *:*                    LISTEN      1331/named
tcp        0      0 localhost.locald:domain *:*                    LISTEN      1331/named
tcp        0      0 *:ssh                  *:*                    LISTEN      1614/sshd
tcp        0      0 *:smtp                  *:*                    LISTEN      12427/smtpd
tcp        0      0 localhost.localdoma:953 *:*                    LISTEN      1331/named
tcp        0      0 *:imaps                *:*                    LISTEN      2276/dovecot
tcp        0      0 *:pop3s                *:*                    LISTEN      2276/dovecot
tcp        0      0 *:56707                *:*                    LISTEN      1071/rpc.statd
tcp        0      0 localhost.localdo:10024 *:*                    LISTEN      1863/amavisd (maste
tcp        0      0 localhost.localdo:10025 *:*                    LISTEN      24159/master
tcp        0      0 localhost.localdo:41798 localhost.localdo:mysql ESTABLISHED 30509/amavisd (ch10
tcp        0      0 localhost.localdo:41895 localhost.localdo:mysql ESTABLISHED 31544/amavisd (ch8-
tcp        0      0 localhost.localdo:mysql localhost.localdo:41895 ESTABLISHED 1748/mysqld
tcp        0      0 localhost.localdo:51627 localhost.localdoma:www TIME_WAIT  -
tcp        0      0 localhost.localdo:56649 localhost.localdoma:ftp TIME_WAIT  -
tcp        0    52 ns01.delcowebhostin:ssh 192.168.1.1:1643        ESTABLISHED 12365/0
tcp        0      0 localhost.localdo:mysql localhost.localdo:41798 ESTABLISHED 1748/mysqld
tcp6      0      0 [::]:http-alt          [::]:*                  LISTEN      2023/apache2
tcp6      0      0 [::]:www                [::]:*                  LISTEN      2023/apache2
tcp6      0      0 [::]:tproxy            [::]:*                  LISTEN      2023/apache2
tcp6      0      0 [::]:ftp                [::]:*                  LISTEN      2235/pure-ftpd (SER
tcp6      0      0 [::]:domain            [::]:*                  LISTEN      1331/named
tcp6      0      0 [::]:ssh                [::]:*                  LISTEN      1614/sshd
tcp6      0      0 ip6-localhost:953      [::]:*                  LISTEN      1331/named
tcp6      0      0 [::]:https              [::]:*                  LISTEN      2023/apache2

intodns (which looks OK. a few informational messages, but mail had been working on the server but no longer works and dns hasn't changed)

Code:


Category        Status        Test name        Information send feedback
Parent        Info        Domain NS records        Nameserver records returned by the parent servers are:

ns01.delcowebhosting.com.  ['71.225.4.213']  [TTL=172800]
ns02.delcowebhosting.com.  ['71.225.4.213']  [TTL=172800]

g.gtld-servers.net was kind enough to give us that information.
Pass        TLD Parent Check        Good. g.gtld-servers.net, the parent server I interrogated, has information for your TLD. This is a good thing as there are some other domain extensions like "co.us" for example that are missing a direct check.
Pass        Your nameservers are listed        Good. The parent server g.gtld-servers.net has your nameservers listed. This is a must if you want to be found as anyone that does not know your DNS servers will first ask the parent nameservers.
Pass        DNS Parent sent Glue        Good. The parent nameserver sent GLUE, meaning he sent your nameservers as well as the IPs of your nameservers. Glue records are A records that are associated with NS records to provide "bootstrapping" information to the nameserver.(see RFC 1912 section 2.3)
Pass        Nameservers A records        Good. Every nameserver listed has A records. This is a must if you want to be found.
NS        Info        NS records from your nameservers        NS records got from your nameservers listed at the parent NS are:

ns02.delcowebhosting.com  ['71.225.4.213']  [TTL=86400]
ns01.delcowebhosting.com  ['71.225.4.213']  [TTL=86400]

Pass        Recursive Queries        Good. Your nameservers (the ones reported by the parent server) do not report that they allow recursive queries for anyone.
Pass        Same Glue        The A records (the GLUE) got from the parent zone check are the same as the ones got from your nameservers. You have to make sure your parent server has the same NS records for your zone as you do according to the RFC. This tests only nameservers that are common at the parent and at your nameservers. If there are any missing or stealth nameservers you should see them below!
Pass        Glue for NS records        OK. When I asked your nameservers for your NS records they also returned the A records for the NS records. This is a good thing as it will spare an extra A lookup needed to find those A records.
Pass        Mismatched NS records        OK. The NS records at all your nameservers are identical.
Pass        DNS servers responded        Good. All nameservers listed at the parent server responded.
Pass        Name of nameservers are valid        OK. All of the NS records that your nameservers report seem valid.
Pass        Multiple Nameservers        Good. You have multiple nameservers. According to RFC2182 section 5 you must have at least 3 nameservers, and no more than 7. Having 2 nameservers is also ok by me.
Pass        Nameservers are lame        OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
Pass        Missing nameservers reported by parent        OK. All NS records are the same at the parent and at your nameservers.
Pass        Missing nameservers reported by your nameservers        OK. All nameservers returned by the parent server g.gtld-servers.net are the same as the ones reported by your nameservers.
Pass        Domain CNAMEs        OK. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
Pass        NSs CNAME check        OK. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
Warn        Different subnets        WARNING: Not all of your nameservers are in different subnets
Pass        IPs of nameservers are public        Ok. Looks like the IP addresses of your nameservers are public. This is a good thing because it will prevent DNS delays and other problems like
Pass        DNS servers allow TCP connection        OK. Seems all your DNS servers allow TCP connections. This is a good thing and useful even if UDP connections are used by default.
Warn        Different autonomous systems        WARNING: Single point of failure
Pass        Stealth NS records sent        Ok. No stealth ns records are sent
SOA        Info        SOA record        The SOA record is:
Primary nameserver: ns01.delcowebhosting.com
Hostmaster E-mail address: webmaster.delcowebhosting.com
Serial #: 2013021901
Refresh: 28800
Retry: 7200
Expire: 604800  1 weeks
Default TTL: 86400
Pass        NSs have same SOA serial        OK. All your nameservers agree that your SOA serial number is 2013021901.
Pass        SOA MNAME entry        OK. ns01.delcowebhosting.com That server is listed at the parent servers.
Pass        SOA Serial        Your SOA serial number is: 2013021901. This appears to be in the recommended format of YYYYMMDDnn.
Pass        SOA REFRESH        OK. Your SOA REFRESH interval is: 28800. That is OK
Pass        SOA RETRY        Your SOA RETRY value is: 7200. Looks ok
Pass        SOA EXPIRE        Your SOA EXPIRE number is: 604800.Looks ok
Pass        SOA MINIMUM TTL        Your SOA MINIMUM TTL is: 86400. This value was used to serve as a default TTL for records without a given TTL value and now is used for negative caching (indicates how long a resolver may cache the negative answer). RFC2308 recommends a value of 1-3 hours. Your value of 86400 is OK.
MX        Info        MX Records        Your MX records that were reported by your nameservers are:

10  mail.lightningflatscreenmounting.com  71.225.4.213

[These are all the MX records that I found. If there are some non common MX records at your nameservers you should see them below. ]
Pass        Different MX records at nameservers        Good. Looks like all your nameservers have the same set of MX records. This tests to see if there are any MX records not reported by all your nameservers and also MX records that have the same hostname but different IPs
Pass        MX name validity        Good. I did not detect any invalid hostnames for your MX records.
Pass        MX IPs are public        OK. All of your MX records appear to use public IPs.
Pass        MX CNAME Check        OK. No problems here.
Pass        MX A request returns CNAME        OK. No CNAMEs returned for A records lookups.
Pass        MX is not IP        OK. All of your MX records are host names.
Info        Number of MX records        OK. Looks like you only have one MX record at your nameservers. You should be careful about what you are doing since you have a single point of failure that can lead to mail being lost if the server is down for a long time.
Pass        Mismatched MX A        OK. I did not detect differing IPs for your MX records.
Pass        Duplicate MX A records        OK. I have not found duplicate IP(s) for your MX records. This is a good thing.
Pass        Reverse MX A records (PTR)        Your reverse (PTR) record:
213.4.225.71.in-addr.arpa ->  c-71-225-4-213.hsd1.nj.comcast.net
You have reverse (PTR) records for all your IPs, that is a good thing.
WWW        Info        WWW A Record        Your www.lightningflatscreenmounting.com A record is:
www.lightningflatscreenmounting.com  [71.225.4.213]
Pass        IPs are public        OK. All of your WWW IPs appear to be public IPs.
Pass        WWW CNAME        OK. No CNAME

rkhunter

Code:

rkhunter --update
[ Rootkit Hunter version 1.3.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                            [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                [ No update ]

rkhunter -c
[ Rootkit Hunter version 1.3.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                              [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                        [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                              [ OK ]
    /bin/bash                                                [ OK ]
    /bin/cat                                                [ OK ]
    /bin/chmod                                              [ OK ]
    /bin/chown                                              [ OK ]
    /bin/cp                                                  [ OK ]
    /bin/date                                                [ OK ]
    /bin/df                                                  [ OK ]
    /bin/dmesg                                              [ OK ]
    /bin/echo                                                [ OK ]
    /bin/egrep                                              [ OK ]
    /bin/fgrep                                              [ OK ]
    /bin/fuser                                              [ OK ]
    /bin/grep                                                [ OK ]
    /bin/ip                                                  [ OK ]
    /bin/kill                                                [ OK ]
    /bin/less                                                [ OK ]
    /bin/login                                              [ OK ]
    /bin/ls                                                  [ OK ]
    /bin/lsmod                                              [ OK ]
    /bin/mktemp                                              [ OK ]
    /bin/more                                                [ OK ]
    /bin/mount                                              [ OK ]
    /bin/mv                                                  [ OK ]
    /bin/netstat                                            [ OK ]
    /bin/ps                                                  [ OK ]
    /bin/pwd                                                [ OK ]
    /bin/readlink                                            [ OK ]
    /bin/sed                                                [ OK ]
    /bin/sh                                                  [ OK ]
    /bin/su                                                  [ OK ]
    /bin/touch                                              [ OK ]
    /bin/uname                                              [ OK ]
    /bin/which                                              [ OK ]
    /usr/bin/awk                                            [ OK ]
    /usr/bin/basename                                        [ OK ]
    /usr/bin/chattr                                          [ OK ]
    /usr/bin/cut                                            [ OK ]
    /usr/bin/diff                                            [ OK ]
    /usr/bin/dirname                                        [ OK ]
    /usr/bin/dpkg                                            [ OK ]
    /usr/bin/dpkg-query                                      [ OK ]
    /usr/bin/du                                              [ OK ]
    /usr/bin/env                                            [ OK ]
    /usr/bin/file                                            [ OK ]
    /usr/bin/find                                            [ OK ]
    /usr/bin/GET                                            [ Warning ]
    /usr/bin/groups                                          [ OK ]
    /usr/bin/head                                            [ OK ]
    /usr/bin/id                                              [ OK ]
    /usr/bin/killall                                        [ OK ]
    /usr/bin/last                                            [ OK ]
    /usr/bin/lastlog                                        [ OK ]
    /usr/bin/ldd                                            [ OK ]
    /usr/bin/less                                            [ OK ]
    /usr/bin/locate                                          [ OK ]
    /usr/bin/logger                                          [ OK ]
    /usr/bin/lsattr                                          [ OK ]
    /usr/bin/lsof                                            [ OK ]
    /usr/bin/mail                                            [ OK ]
    /usr/bin/md5sum                                          [ OK ]
    /usr/bin/mlocate                                        [ OK ]
    /usr/bin/newgrp                                          [ OK ]
    /usr/bin/passwd                                          [ OK ]
    /usr/bin/perl                                            [ Warning ]
    /usr/bin/pgrep                                          [ OK ]
    /usr/bin/pstree                                          [ OK ]
    /usr/bin/rkhunter                                        [ OK ]
    /usr/bin/runcon                                          [ OK ]
    /usr/bin/sha1sum                                        [ OK ]
    /usr/bin/sha224sum                                      [ OK ]
    /usr/bin/sha256sum                                      [ OK ]
    /usr/bin/sha384sum                                      [ OK ]
    /usr/bin/sha512sum                                      [ OK ]
    /usr/bin/size                                            [ OK ]
    /usr/bin/sort                                            [ OK ]
    /usr/bin/stat                                            [ OK ]
    /usr/bin/strings                                        [ OK ]
    /usr/bin/tail                                            [ OK ]
    /usr/bin/test                                            [ OK ]
    /usr/bin/top                                            [ OK ]
    /usr/bin/touch                                          [ OK ]
    /usr/bin/tr                                              [ OK ]
    /usr/bin/uniq                                            [ OK ]
    /usr/bin/users                                          [ OK ]
    /usr/bin/vmstat                                          [ OK ]
    /usr/bin/w                                              [ OK ]
    /usr/bin/watch                                          [ OK ]
    /usr/bin/wc                                              [ OK ]
    /usr/bin/wget                                            [ OK ]
    /usr/bin/whatis                                          [ OK ]
    /usr/bin/whereis                                        [ OK ]
    /usr/bin/which                                          [ OK ]
    /usr/bin/who                                            [ OK ]
    /usr/bin/whoami                                          [ OK ]
    /usr/bin/mawk                                            [ OK ]
    /usr/bin/lwp-request                                    [ Warning ]
    /usr/bin/bsd-mailx                                      [ OK ]
    /usr/bin/w.procps                                        [ OK ]
    /sbin/depmod                                            [ OK ]
    /sbin/ifconfig                                          [ OK ]
    /sbin/ifdown                                            [ OK ]
    /sbin/ifup                                              [ OK ]
    /sbin/init                                              [ OK ]
    /sbin/insmod                                            [ OK ]
    /sbin/ip                                                [ OK ]
    /sbin/lsmod                                              [ OK ]
    /sbin/modinfo                                            [ OK ]
    /sbin/modprobe                                          [ OK ]
    /sbin/rmmod                                              [ OK ]
    /sbin/runlevel                                          [ OK ]
    /sbin/sulogin                                            [ OK ]
    /sbin/sysctl                                            [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chroot                                        [ OK ]
    /usr/sbin/cron                                          [ OK ]
    /usr/sbin/groupadd                                      [ OK ]
    /usr/sbin/groupdel                                      [ OK ]
    /usr/sbin/groupmod                                      [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/inetd                                          [ Warning ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pwck                                          [ OK ]
    /usr/sbin/rsyslogd                                      [ OK ]
    /usr/sbin/tcpd                                          [ OK ]
    /usr/sbin/useradd                                        [ OK ]
    /usr/sbin/userdel                                        [ OK ]
    /usr/sbin/usermod                                        [ OK ]
    /usr/sbin/vipw                                          [ OK ]
    /usr/sbin/unhide-linux26                                [ OK ]


JESUSSAVES 21st May 2013 16:32

router
 
Linksys wireless router:

Block Anonymous Internet Requests: ON
Filter Multicast: ON
Filter IDENT(Port 113): ON

Access Restrictions:
No blocked services
No website blocking

Applications:
Along with everything Apache and DNS, SMTP, and POP3 all are sent to the local address of my server.

till 21st May 2013 17:25

iptables and netstat output are fine, postfix is listening on all network interfaces on port 25 and 587 and it is not blocked by a local firewall.

The dns record seems to be fine as well.

I then tested if I'am able to connect to your server on port 25 or 587 from outside but that not possible. I then tested the same for port 80 (apache) and this works.

So it seems that somehow the email ports are blocked between the internet and the server.

As you mentioned that this setup worked before, do you remember anything that happened right before the problems started that might be realted to the issue, e.g. did you configure something in the router or did youraccess provider announced any changes in ther service?

JESUSSAVES 22nd May 2013 04:11

previous activity
 
Till, thanks again for your response and help.
Two months ago, I installed a StartSSL class2 certificate. Following that I set up 2 sites in Joomla. Before that I know mail was working because I did a site for a guy and tested that his mail was working.

When I got a complaint about mail not working, first I checked root mail, which I should check more frequently. That's when I noticed that my daily MySQL backups had stopped working. Reason: the backup directory was missing. That's why I thought I was hacked.

I don't remember any notice from my ISP about changes. Perhaps the next step is to contact them and ask what's going on.


All times are GMT +2. The time now is 02:34.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.