mail log

Discussion in 'Installation/Configuration' started by nvn, Oct 29, 2006.

  1. nvn

    nvn New Member

    Hi

    I have about 22 mb of logfile for my mailserver. for today...

    What is this :

    Code:
    Oct 29 15:06:11 web1 postfix/smtp[28274]: connect to orngca-02.mgw.rr.com[24.28.204.56]: server refused to talk to me: 550-hrndva-mx-20.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:11 web1 postfix/smtp[28287]: connect to hrndva-01.mgw.rr.com[24.28.204.22]: server refused to talk to me: 550-hrndva-mx-03.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:11 web1 postfix/smtp[28292]: connect to clmboh-02.mgw.rr.com[65.24.7.15]: server refused to talk to me: 550-clmboh-mx-14.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:11 web1 postfix/smtp[28274]: connect to clmboh-01.mgw.rr.com[65.24.7.12]: server refused to talk to me: 550-clmboh-mx-03.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:11 web1 postfix/smtp[28287]: connect to clmboh-01.mgw.rr.com[65.24.7.20]: server refused to talk to me: 550-clmboh-mx-06.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:11 web1 postfix/smtp[28274]: connect to hrndva-01.mgw.rr.com[24.28.204.23]: server refused to talk to me: 550-hrndva-mx-04.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28274]: connect to hrndva-02.mgw.rr.com[24.28.204.29]: server refused to talk to me: 550-hrndva-mx-10.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28287]: connect to orngca-01.mgw.rr.com[66.75.160.128]: server refused to talk to me: 550-orngca-mx-01.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28274]: connect to hrndva-01.mgw.rr.com[24.28.204.22]: server refused to talk to me: 550-hrndva-mx-03.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28287]: connect to hrndva-02.mgw.rr.com[24.28.204.27]: server refused to talk to me: 550-hrndva-mx-08.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28276]: connect to hrndva-01.mgw.rr.com[24.28.204.21]: server refused to talk to me: 550-hrndva-mx-02.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28287]: connect to hrndva-02.mgw.rr.com[24.28.204.28]: server refused to talk to me: 550-hrndva-mx-09.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28292]: connect to orngca-02.mgw.rr.com[66.75.160.144]: server refused to talk to me: 550-orngca-mx-10.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28274]: connect to hrndva-02.mgw.rr.com[24.28.204.37]: server refused to talk to me: 550-hrndva-mx-14.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28276]: connect to orngca-01.mgw.rr.com[24.28.204.55]: server refused to talk to me: 550-hrndva-mx-19.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54   (port 25)
    Oct 29 15:06:12 web1 postfix/smtp[28276]: 9CA3C6F467C: to=<[email protected]>, relay=none, delay=27372, status=deferred (connect to orngca-01.mgw.rr.com[24.28.204.55]: server refused to talk to me: 550-hrndva-mx-19.mgw.rr.com  550 ERROR: Mail Refused - 85.82.7.54 - See http://www.spamhaus.org/query/bl?ip=85.82.7.54  )
    
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Your IP address is listed in CBL as psam sender:

    http://cbl.abuseat.org/lookup.cgi?ip=85.82.7.54

    Thats why the server refuses your emails. Please check that your server is not a open relay and check that you do not have PHP or perl formmail scripts installed on your server that allow mail relaying.

    With the command postqueue -p you can check how many mails are stored in your mailqueue.
     
  3. nvn

    nvn New Member

    Shit...

    i have 816 in queue... I have stopped my smtp server...

    How can i make it possible on to use SMTP from localhost ?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can set:

    inet_interfaces = 127.0.0.1

    in your postfix main.cf. But if the origin of the spam is a formmail script, this solution wont help.
     
  5. nvn

    nvn New Member

    Hi..

    I have set that now.

    How do i delete the queue ?

    And how can i see if there is a script they are using ?

    This sucks :(


    I througt i had a safe system.. But nothing is safe in this world :)
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    To empty the que, run this command:

    postsuper -d ALL

    Before you empty the queue, you can try to find out which script has send the mails by inpecting the mail content with the command:

    postcat -q /path/to/the/mailspol/file

    To find the path of the mailfile, you may run:

    updatedb

    and then search the file with:

    locate [MAILID]

    where [MAILID] is the ID of a spool item in the postqueue -p listing.
     
  7. nvn

    nvn New Member

    After updatedb

    locate 5D7846F4519

    5D7846F4519 is that the ID i should search for ?

    It can't locate anything ?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    This looks like a correct mail ID:

    if your run:

    postqueue -p | grep 5D7846F4519

    Do you get the line with the mail? Maybe the email has been delivered already. You might have to stop postfix for a while to analyse the mails.
     
  9. nvn

    nvn New Member

  10. nvn

    nvn New Member

    Hi..

    I found the files:
     

    Attached Files:

  11. nvn

    nvn New Member

    Hi...

    After i set
    inet_interfaces = 127.0.0.1

    in mail.cf

    i get no mail at all... ???

    Now i have removed it... And i get mail again..

    How can i set so my smtp server on work from 127.0.0.1, but i can get mail from outside ?

    P.S. At this moment my server is not spamming...
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats correct. It means you will be able to send email only from localhost.


    OK, thats an other question as this ;)
    If you followed the perfect setup, your server is already configured like that. You can check it here:

    http://www.abuse.net/relay.html
     
  13. nvn

    nvn New Member

    Hi Till

    I did use the perfect setup... How can i tell if there is a script where it is possible to send mail via ?

    If i test
    http://www.abuse.net/relay.html

    I don't have any problems !!!

    And it is not being used for spam ? :)
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    You must review the file with the postcat command as i described above to get the content of the original email. Then you must try to figure out through which account or with wich original email recipient is has been send on your server. Finding the correct mail form is not trivial in most cases.
     
  15. nvn

    nvn New Member


    When I use the POSTCAT command with mail id i get an error

    It can't find the ID ?
    But the ID is from "postqueue -p" ?

    At this point I'm not spamming... I think.. i can't find anything in the log..
    But i still have a few entries in blacklisting :(
    www.dnsstuff.com/tools/ip4r.ch?ip=85.82.7.54
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    You must use the path to the file with postcat, not the ID. Please see the example that I had posted.
     
  17. nvn

    nvn New Member

    HI...

    Now i have this in my log...

    Nov 8 20:04:02 web1 postfix/smtpd[11028]: connect from unknown[83.91.85.91]
    Nov 8 20:04:02 web1 postfix/smtpd[11028]: setting up TLS connection from unknown[83.91.85.91]
    Nov 8 20:04:02 web1 postfix/smtpd[11028]: TLS connection established from unknown[83.91.85.91]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Nov 8 20:04:02 web1 postfix/smtpd[11028]: NOQUEUE: reject: RCPT from unknown[83.91.85.91]: 450 Client host rejected: cannot find your hostname, [83.91.85.91]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ns-1.danskespil.dk>
    Nov 8 20:04:03 web1 postfix/smtpd[11028]: disconnect from unknown[83.91.85.91]

    What parameter is causing this ?

    It's not bad when someone is trying to connect from home, but this is a big company in DK...
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    This message does not mean that your server can not find the hostname for danskespil.dk, it can not find the hostname for the IP 83.91.85.91, which means that this IP has no reverse record.
     

Share This Page