Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th April 2013, 14:46
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default Lots of deferred mails - backscatter?

Hi,

I recently had an SMTP AUTH relay attack, on my mail-server, which i solved as described in this thread: http://www.howtoforge.com/forums/sho...331#post295331

I am however still getting a high amount of deferred e-mails, but it's not a spam-flood anymore. They are rather just "trickling" in - a few mails per minute. The reason seems to be different from before, maybe it's backscatter? (someone sends spam mail with a faked sender with a domain that is hosted on my server -> my server get's the deferred messages).

when i type "qshape deferred" i get the following output:



Code:
T  5 10 20 40 80 160 320 640 1280 1280+
TOTAL 2443  0  0 36 18 38 136 287 460 1468     0
DomainOnMyServer 2424  0  0 36 17 38 136 284 455 1458     0
usamail.com   15  0  0  0  1  0   0   3   4    7     0
example.com    2  0  0  0  0  0   0   0   1    1     0
aol.com    1  0  0  0  0  0   0   0   0    1     0
duck-calls.net    1  0  0  0  0  0   0   0   0    1     0
when i grep my mail.log for "deferred" i get lots of lines like this:

Code:
Apr  4 12:07:02 server1 postfix/pipe[30294]: 181E12134114: to=<homesteadspeered@DomainOnMyServer.at>, orig_to=<homesteadspeered@OtherDomainOnMyServer.at>, relay=maildrop, delay=25686, delays=25684/1.5/0/1.1, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/homesteadspeered/31248.0.server1.  )
Apr  4 12:07:02 server1 postfix/pipe[30755]: D82401FBE607: to=<bernhard.tucek@DomainOnMyServer.at>, orig_to=<bernhard.tucek@OtherDomainOnMyServer.at>, relay=maildrop, delay=38377, delays=38374/0.54/0/2.2, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/bernhard.tucek/30995.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30308]: 2286A1FBE380: to=<muscovyjanna@DomainOnMyServer.at>, orig_to=<muscovyjanna@OtherDomainOnMyServer.at>, relay=maildrop, delay=50730, delays=50726/0.12/0/3.4, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/muscovyjanna/30578.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30478]: 02A421FBE362: to=<muscovyjanna@DomainOnMyServer.at>, orig_to=<muscovyjanna@OtherDomainOnMyServer.at>, relay=maildrop, delay=50921, delays=50918/3.4/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/muscovyjanna/31394.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30012]: 2286A1FBE380: to=<n.steixner@DomainOnMyServer.at>, orig_to=<n.steixner@OtherDomainOnMyServer.at>, relay=maildrop, delay=50730, delays=50726/1.1/0/2.8, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/n.steixner/31132.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30159]: 2286A1FBE380: to=<n.kurz@DomainOnMyServer.at>, orig_to=<n.kurz@OtherDomainOnMyServer.at>, relay=maildrop, delay=50731, delays=50726/0.13/0/4.2, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/n.kurz/30594.0.server1.  )
The mailboxes to which the deferred mails are addressed do not exist on my server - but the domains are hosted on it. I obviously have no problem with the mails being deferred, but i wanted to know if this is standard behaviour for postfix, or should i be worried?

My deferred queue is getting filled up by this, so isn't there a possibility to just bounce those mails?
Reply With Quote
Sponsored Links
  #2  
Old 5th April 2013, 12:17
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default

Ok, i have looked into the problem some more, and found out that it's not backscatter after all.

The problem is this: Regular spam mail is sent to my server to some random addresses. The domain of the recipient of the mail is hosted on my server, but the mailbox does not exist.

Example: randomblabla123@domainOnMyServer.com

Normally i think this mail should just be bounced, but instead it is placed in the deferred queue. Because the domain gets lots of spam, the deferred queue fills up over time.

So my question is: How can i bounce mail that has an invalid recipient, instead of putting it in the deferred queue?

Here is an example of a deferred mail, which sould be bounced, taken from my mail.log with "cat /var/log/mail.log | grep 208401FBE28F"

Code:
Apr  5 11:33:36 server1 postfix/smtpd[3240]: 208401FBE28F: client=localhost[127.0.0.1]
Apr  5 11:33:36 server1 postfix/cleanup[9757]: 208401FBE28F: message-id=<8831100462.V72J0A8X259818@DomainOnMyServer.at>
Apr  5 11:33:36 server1 postfix/qmgr[3930]: 208401FBE28F: from=<actionedyg7@google.com>, size=2094, nrcpt=1 (queue active)
Apr  5 11:33:36 server1 amavis[10827]: (10827-11) Passed SPAMMY, [2.176.244.156] [2.176.244.156] <actionedyg7@google.com> -> <wintgen@DomainOnMyServer.at>, Message-ID: <8831100462.V72J0A8X259818@DomainOnMyServer.at>, mail_id: XJtN3LKSUg5z, Hits: 14.574, size: 1276, queued_as: 208401FBE28F, 405 ms
Apr  5 11:33:36 server1 postfix/smtp[9989]: 8F1C81FBE27F: to=<wintgen@DomainOnMyServer.at>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.7, delays=5.3/0/0/0.41, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10827-11, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 208401FBE28F)
Apr  5 11:33:36 server1 postfix/pipe[11414]: 208401FBE28F: to=<wintgen@anotherDomainOnMyServer.at>, orig_to=<wintgen@DomainOnMyServer.at>, relay=maildrop, delay=0.13, delays=0.12/0/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/anotherDomainOnMyServer.at/wintgen/11907.0.server1.  )
As you can see, the mail get's sent to "@domainOnMyServer.at", and then gets relayed to "@anotherDomainOnMyServer.at", where it finally get's deferred. The relay happens because i have a mail alias in ISPConfig from domainOnMyServer.at to anotherDomainOnMyServer.at

As far as i found out, all mail that lands in the deferred queue follows this pattern. It get's sent to the first domain, then relayed to the second domain, and there it get's deferred with the Message :

"status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/anotherDomainOnMyServer.at/wintgenwintgen/14080.0.server1."

I thought "local_recipient_maps" and "relay_recipient_maps" should handle that such mail should get bounced, and not deferred, but may it be that the alias for the whole domain screws something up here?

I whould be thankful for any help or insight into this.

cheers

Last edited by arraken; 5th April 2013 at 12:19.
Reply With Quote
  #3  
Old 5th April 2013, 20:24
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

You can try this: http://www.faqforge.com/linux/enhanc...n-ispconfig-3/
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 6th April 2013, 13:50
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
 
Default

thanks falko!

there is still some mail landing in the deferred queue that i think should just bounce instead, but after following the instructions from your link, the number of them has decreased a lot (around 100 deferred mails in queue), so i think i can just leave it at that.

cheers
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
dovecot start problem veneficus Installation/Configuration 3 10th April 2012 17:39
Need help with ISPConfig Mail and Squirrelmail m.xander Installation/Configuration 109 3rd February 2012 00:15
My Server Is Sending Spam. How Do I Block This? LordJ Server Operation 1 7th July 2011 19:34
postfix -- rerouting deferred mail? craig baker Server Operation 0 21st February 2009 14:27
postqueue -p show lots of spam mails sent to system users tom Installation/Configuration 6 29th April 2008 13:18


All times are GMT +2. The time now is 08:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.