TPS FC4, mail server abused to send spam?

[Hagforce]

Hello.

I used the exelent how to guide on your pages to setup a web/mail server.

The server is setup with an official IP adress, so no NAT or firewall protects it.
Just the firewall in ISPConfig (erverything is set up as in the tutorial).

I`m worried that my server is used as a "spam server".
I`ve been locking at the logs, but I`m not shore what to loock for etc.

Is there any way to see what messages are beeing sent out from my server, from witch adress, subject, reciever, IP adr etc.

I`would really like some help with this.

[falko]

Quote:

Originally Posted by Hagforce

Is there any way to see what messages are beeing sent out from my server, from witch adress, subject, reciever, IP adr etc.

It's all in your mail log. If you have lots of activity there that could be a sign of spam (unless your mail server is usually busy anyway). You can also check the mail queue:

Code:

postqueue -p

If you see lots of mails there, this could also be a sign of spam abuse.
Then you can check of your server is blacklisted:
http://www.mxtoolbox.com/blacklists.aspx

Also make sure that your mynetworks setting allows unauthenticated sending only from localhost. What's the output of

Code:

postconf -d | grep mynetworks

and

Code:

postconf -n | grep mynetworks

?

[Hagforce]

Code:

[root@www ~]# postconf -n | grep mynetworks
mynetworks = 127.0.0.0/8
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

Code:

[root@www ~]# postconf -d | grep mynetworks
mynetworks = 127.0.0.0/8 85.118.78.0/24
mynetworks_style = subnet
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

My mail log is very large, but I got over 400 mail users on my server....
The postqueue -p also contains a lot of mails, and with adresses I do not use as vbhnuz@static47.bane-cust.com, static47.bane-cust.com is a dns for the IP on the server I think???

Is all the mails in the log actualy sent?.

I`m not blacklisted, but this does not lock good.

[falko]

Quote:

Originally Posted by Hagforce

Code:

[root@www ~]# postconf -n | grep mynetworks
mynetworks = 127.0.0.0/8
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

This looks good.

Quote:

Originally Posted by Hagforce

My mail log is very large, but I got over 400 mail users on my server....
The postqueue -p also contains a lot of mails, and with adresses I do not use as vbhnuz@static47.bane-cust.com, static47.bane-cust.com is a dns for the IP on the server I think???

What's your server's IP address? What's the output of

Code:

dig -x your_ip_address

?

Quote:

Originally Posted by Hagforce

Is all the mails in the log actualy sent?.

This is recorded also in the mail log.

[Hagforce]

output of "dig -x your_ip_address"

Code:

;; ANSWER SECTION:
47.78.118.85.in-addr.arpa. 86400 IN     PTR     static47.bane-cust.com.

[falko]

So static47.bane-cust.com is your server, and Postfix translates local domains to static47.bane-cust.com. that's why you see this domain in your mail log. That's the ususal behaviour, there's nothing wrong with it.