Disappearing emails ispconfig 2 / postfix

Discussion in 'General' started by DrJohn, May 12, 2010.

  1. DrJohn

    DrJohn New Member

    Strange problem: forwarding or replying to some (not all) email from an external isp (via that isp's SMTP) to my primary email on the ispconfig-hosted (virtual) server here, the email never makes it to my inbox. Looking at /var/log/mail.log, I see that the mail is relayed internally to admispconfig@localhost.localdomain, which doesn't correspond to any user on the system.

    Here's a snippet from mail.log:
    Code:
    May 12 08:44:53 mailserver postfix/smtpd[23041]: warning: 174.121.77.192: hostname c0.4d.79ae.static.theplanet.com verification failed: Name or service not known
    May 12 08:44:54 mailserver postfix/smtpd[23041]: connect from unknown[174.121.77.192]
    May 12 08:44:54 mailserver postfix/smtpd[23041]: setting up TLS connection from unknown[174.121.77.192]
    May 12 08:44:54 mailserver postfix/smtpd[23041]: Anonymous TLS connection established from unknown[174.121.77.192]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    May 12 08:44:55 mailserver postgrey: action=pass, reason=triplet found, client_name=unknown, client_address=174.121.77.192, sender=john@sendingsite.com, recipient=john@hostedsite.com
    May 12 08:44:55 mailserver postfix/smtpd[23041]: CBE39F47F1: client=unknown[174.121.77.192]
    May 12 08:44:56 mailserver postfix/cleanup[23046]: CBE39F47F1: message-id=<4BEACCF3.9090900@sendingsite.com>
    May 12 08:44:56 mailserver postfix/qmgr[12971]: CBE39F47F1: from=<john@sendingsite.com>, size=42802, nrcpt=1 (queue active)
    May 12 08:44:56 mailserver postfix/smtpd[23041]: disconnect from unknown[174.121.77.192]
    May 12 08:44:56 mailserver postfix/pickup[21838]: 80719F481A: uid=10007 from=<site4_myloginid>
    May 12 08:44:56 mailserver postfix/cleanup[23046]: 80719F481A: message-id=<20100512154456.80719F481A@mailserver.mydomain.loc>
    May 12 08:44:56 mailserver postfix/qmgr[12971]: 80719F481A: from=<site4_myuserid@mailserver.mydomain.loc>, size=436, nrcpt=1 (queue active)
    May 12 08:44:56 mailserver postfix/local[23064]: 80719F481A: to=<admispconfig@localhost.localdomain>, relay=local, delay=0.3, delays=0.18/0.02/0/0.11, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
    May 12 08:44:56 mailserver postfix/qmgr[12971]: 80719F481A: removed
    
    If I send a new message the same way, on the other hand, it is delivered. Mail.log:
    Code:
    May 12 09:02:38 mailserver postfix/smtpd[23041]: warning: 174.121.77.192: hostname c0.4d.79ae.static.theplanet.com verification failed: Name or service not known
    May 12 09:02:38 mailserver postfix/smtpd[23041]: connect from unknown[174.121.77.192]
    May 12 09:02:39 mailserver postfix/smtpd[23041]: setting up TLS connection from unknown[174.121.77.192]
    May 12 09:02:39 mailserver postfix/smtpd[23041]: Anonymous TLS connection established from unknown[174.121.77.192]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    May 12 09:02:39 mailserver postgrey: action=pass, reason=triplet found, client_name=unknown, client_address=174.121.77.192, sender=john@sendingsite.com, recipient=john@hostedsite.com
    May 12 09:02:39 mailserver postfix/smtpd[23041]: 83EF6F47F1: client=unknown[174.121.77.192]
    May 12 09:02:39 mailserver postfix/cleanup[23453]: 83EF6F47F1: message-id=<4BEAD11D.3060809@sendingsite.com>
    May 12 09:02:39 mailserver postfix/qmgr[12971]: 83EF6F47F1: from=<john@sendingsite.com>, size=1353, nrcpt=1 (queue active)
    May 12 09:02:39 mailserver postfix/smtpd[23041]: disconnect from unknown[174.121.77.192]
    May 12 09:02:39 mailserver postfix/pickup[21838]: D5BD6F481A: uid=10007 from=<myuserid>
    May 12 09:02:39 mailserver postfix/cleanup[23453]: D5BD6F481A: message-id=<20100512160239.D5BD6F481A@mailserver.mydomain.loc>
    May 12 09:02:39 mailserver postfix/qmgr[12971]: D5BD6F481A: from=<myuserid@mailserver.loc>, size=435, nrcpt=1 (queue active)
    May 12 09:02:40 mailserver postfix/local[23472]: D5BD6F481A: to=<admispconfig@localhost.localdomain>, relay=local, delay=0.27, delays=0.14/0.03/0/0.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
    May 12 09:02:40 mailserver postfix/qmgr[12971]: D5BD6F481A: removed
    
    May 12 09:02:48 mailserver postfix/local[23455]: 83EF6F47F1: to=<myuserid@mailserver.mydomain.loc>, orig_to=<john@hostedsite.com>, relay=local, delay=9.4, delays=0.14/0.03/0/9.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
    May 12 09:02:48 mailserver postfix/qmgr[12971]: 83EF6F47F1: removed
    
    Does it have anything to do with admispconfig@localhost.localdomain?

    I can post main.cf, etc. if needed.

    Thanks
     
  2. falko

    falko Super Moderator

    The admispconfig@localhost.localdomain address is used only for traffic accounting, i.e., whenever a mail is sent, another mail with the size of the previously sent mail is sent to that account. That's why you see all those lines with admispconfig@localhost.localdomain in the logs. I don't think this has anything to do with the fact that emails are disappearing. Are there any other errors in your mail log?
     
  3. DrJohn

    DrJohn New Member

    OK, I understand about the admispconfig user. There are no other apparent errors in mail.log.

    An associate uses an external virus / spam scanning service for his company (same one I used to use until I made the postfix rules stronger and installed postgrey here), and he asked about a particular trojan in a zip attachment that kept getting into his employees' inboxes. After looking at the situation, it appears that the trojan was being sent directly to his hosted server, bypassing the external scans, and that the host company had weak incoming detection capabilities.

    Anyway, the subject issue arose when I tested the setup here by sending the trojan email with attachment in to my system from his. Sure enough, it never made it through to the inbox. But, when I sent the email in without the attachment (using 'reply' instead of 'forward') the same happened -- no receipt.

    Perhaps clam sees the message as a threat, even without the 'live' attachment, because the message body contains the original email?

    Thanks,

    JH
     

Share This Page