Need Help troubleshooting email...Open Relay?

Discussion in 'Installation/Configuration' started by conductive, Nov 26, 2014.

  1. conductive

    conductive Member

    I have had a perfect Debian Nginx server up for a few months. Reciently I stopped receiving emails but can still send to a gmail account. When I looked at /var/log/mail.err .info or .log they were huge, take a long time to cat, are loaded with tons of unknown email addresses and are being rejected by other servers.

    mail.log
    HTML:
    Nov 23 23:07:02 server1 postfix/smtp[12947]: 8E6EAE81C89: to=<[email protected]>, relay=mta7.am0.yahoodns.net[63.250.192.45]:25, delay=0.97, delays=0.11/0.01/0.79/0.07, dsn=4.7.0, status=deferred (host mta7.am0.yahoodns.net[63.250.192.45] said: 421 4.7.0 [TS01] Messages from (MY IP) temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html (in reply to MAIL FROM command))
    
    mail.info
    HTML:
    Nov 23 21:32:04 server1 postfix/smtp[14845]: 6D293E80F9B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=12, delays=2.6/0/0/9.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 031F5E81A22)
    
    mail.err
    HTML:
    Nov 24 06:32:06 mr1 amavis[25978]: (25978-01) (!!)TROUBLE in process_request: connect_to_sql: unable to connect to any dataset at (eval 111) line 247.
    Nov 24 06:42:24 mr1 dovecot: auth-worker(27303): Error: mysql(localhost): Connect failed to database (dbispconfig): Too many connections - waiting for 1 seconds before retry
    
    deleted this mailbox for troubleshooting
    HTML:
    Nov 24 07:22:57 mr1 dovecot: auth-worker(32186): Error: sql([email protected],24.197.30.166): Password query failed: Not connected to database
    

    How do I fix and prevent this problem?

    thanks.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It is unlikely that the server is a open relay, at least if you havent altered the postfix config written by ispconfig, but you can test it e.g. here:

    http://www.mailradar.com/openrelay/

    The more likely reason is that the spam is either send from a hacked website on your server or one of your mail accounts has been hacked, this happens quite frequently at the moment as there are windows trojans that steal smtp passwords and hand them over to botnets, so thats a client side issue and not server side problem.

    Check the headers of the mails in the mailqueue with postcat command, you should be able to see there if they were send by a authenticated account (then change password of that account and scan the desktop pc for viruses) or by a website (php) script.
     
  3. conductive

    conductive Member

    All tested completed! No relays accepted by remote host!

    I found hacked email account when I removed [email protected] I ended up with lots of returned mail in my catch all. I am the only user at the moment so any trojans would have to be of the Debain Kmail variety.

    I still am not receiving mail and have huge logs.

    Where do I find the mailqueue?

    thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    It might also bet that you used a unencrypted connection somewher, e.g. in a internet cafe or that you use the same password somewhere else or the password was too easy to guess.

    postqueue -p
     
  5. conductive

    conductive Member

    I had thousands of mails in the queue and flushed them before I could postcat the headers. I also flushed the defered mail too. Now I am receiving mail.

    I typically do not use wireless and have not been connecting from any internet cafes. I typically use hard passwords but maybe not on [email protected].

    I wish I had a better look at the headers. I did not know the proper postcat parameters.

    All seems good for now.

    Thanks
     
  6. conductive

    conductive Member

    What is the best way to figure out which email address and/or domain is hijacked?

    I also seem to have many Login attempts in my mail.warn. I am guessing that failtoban does not monitor postfix so is my best option to black list the IP addresses as senders?
     
  7. conductive

    conductive Member

    What is the best way to stop the spoofing?

    HTML:
    Nov 27 17:18:01 mr1 postfix/smtpd[7450]: warning: non-SMTP command from unknown[177.11.51.73]: From: [email protected]
    Nov 27 17:18:01 mr1 postfix/smtpd[7504]: warning: non-SMTP command from unknown[177.11.51.73]: From: [email protected]
    
     

Share This Page