Postfix trying to send email for unknown users of my domains
I am looking in my /var/log/maillog and i have:
1- a lot of these entries:
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1545F1B090E: to=<tarahansabzworld@yahoo
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D9972220A4: from=<ads@domain1.com>, size=7638, nrcpt=1 (queue active)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D9972220A4: to=<AGh.Rab_2227@yahoo.com
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D8C61AF95D: from=<ads@domain1.com>, size=7634, nrcpt=1 (queue active)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D8C61AF95D: to=<yashar_58t@yahoo.com>,
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1970F1AFEA8: from=<ads@domain1.com>, size=7645, nrcpt=1 (queue active)
2- 75000+ email messages queed up for delivery
I do not do mailing lists this is for just 5 domains with about 3 email users per domain.
the user ads@domain1.com does not even exist in my user list. my question is 5 part:
1-what likely happened
2-how do i clear it up
3-how do i stop it(changes to postfix conf main.cf?) from happening
4-is there a good program to prevent it happening again (spam assin)?
5-damage control, how do i find out if im now blacklisted and how do i fix tha
1- a lot of these entries:
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1545F1B090E: to=<tarahansabzworld@yahoo
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D9972220A4: from=<ads@domain1.com>, size=7638, nrcpt=1 (queue active)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D9972220A4: to=<AGh.Rab_2227@yahoo.com
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D8C61AF95D: from=<ads@domain1.com>, size=7634, nrcpt=1 (queue active)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D8C61AF95D: to=<yashar_58t@yahoo.com>,
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1970F1AFEA8: from=<ads@domain1.com>, size=7645, nrcpt=1 (queue active)
2- 75000+ email messages queed up for delivery
I do not do mailing lists this is for just 5 domains with about 3 email users per domain.
the user ads@domain1.com does not even exist in my user list. my question is 5 part:
1-what likely happened
2-how do i clear it up
3-how do i stop it(changes to postfix conf main.cf?) from happening
4-is there a good program to prevent it happening again (spam assin)?
5-damage control, how do i find out if im now blacklisted and how do i fix tha
here is part of my main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
# reject_unknown_reverse_client_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
permit
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
oklit,
on 1. is there a way to look at a log or queed email to see what form might be doing this?
also i have 75918 queed emails, where can i look to delet them ( instead of in webmin , at 22 a screen that is a lot of screens to go thru to delete!)
on 1. is there a way to look at a log or queed email to see what form might be doing this?
also i have 75918 queed emails, where can i look to delet them ( instead of in webmin , at 22 a screen that is a lot of screens to go thru to delete!)
Your config file looks ok, so I assume, that it's caused by some html form used to send emails or you are using webmail, which allows users changing From header in their emails.
To check your queue: "mailq" or "postqueue -p".
To examine your queued emails you may use postcat command:
postcat /var/spool/postfix/deferre
You should be then able to find real sender of this email (still - I'm guessing, that it will be 127.0.0.1 or other ip which belongs to your server).
Check also your apache access logfiles - maybe you have some buggy website, which allows sending emails.
To delete all your queued emails you may use "postdrop -d ALL" command - this will delete every email in your queue (even those, which are processed at the moment).
To delete only deferred emails you may use simple oneliner:
for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postdrop -d $id; done
As you have near 76k emails, deleting them can take a while.
To check your queue: "mailq" or "postqueue -p".
To examine your queued emails you may use postcat command:
postcat /var/spool/postfix/deferre
You should be then able to find real sender of this email (still - I'm guessing, that it will be 127.0.0.1 or other ip which belongs to your server).
Check also your apache access logfiles - maybe you have some buggy website, which allows sending emails.
To delete all your queued emails you may use "postdrop -d ALL" command - this will delete every email in your queue (even those, which are processed at the moment).
To delete only deferred emails you may use simple oneliner:
for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postdrop -d $id; done
As you have near 76k emails, deleting them can take a while.
ASKER
oklit
here is the output of postcat /var/spool/postfix/deferre
*** ENVELOPE RECORDS /var/spool/postfix/deferre
message_size: 779 159 1 0
message_arrival_time: Thu Feb 19 06:08:32 2009
create_time: Thu Feb 19 06:08:32 2009
named_attribute: rewrite_context=local
sender_fullname: Apache
sender: ads@xxxxxx.com
*** MESSAGE CONTENTS /var/spool/postfix/deferre
Received: by xxxxxx.com (Postfix, from userid 48)
id 100142A05C7; Thu, 19 Feb 2009 06:08:32 -0500 (EST)
Date: Thu, 19 Feb 2009 06:08:32 -0500
To: sarab_m25@yahoo.com
From: "ads@xxxxxx.com" <ads@xxxxxx.com>
Subject: =?UTF-8?B?2LPYp9mE2YbYp9mF
Message-ID: <a884b5f55f5e62fe2e59ca3c8
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Transfer-Encoding:
Content-Type: text/html; charset="UTF-8"
<h1 style="text-align: center; "> ساÙ
ÙاÙ
٠ساÙ
1388 Ù
خصÙص اÛÙترÙت</h1>
<h2 style="text-align: center; "><a href="http://www.iran.bz/detail.php?vendors=51080199&id=26&AdsID=1639&ads_type=6">تÙضÛØات بÛشتر ٠خرÛد پستÛ</a></h2>
*** HEADER EXTRACTED /var/spool/postfix/deferre
named_attribute: encoding=8bit
original_recipient: sarab_m25@yahoo.com
recipient: sarab_m25@yahoo.com
*** MESSAGE FILE END /var/spool/postfix/deferre
it mentions domain1.com in it. is that where i should look? I will also look at apache log next.
here is the output of postcat /var/spool/postfix/deferre
*** ENVELOPE RECORDS /var/spool/postfix/deferre
message_size: 779 159 1 0
message_arrival_time: Thu Feb 19 06:08:32 2009
create_time: Thu Feb 19 06:08:32 2009
named_attribute: rewrite_context=local
sender_fullname: Apache
sender: ads@xxxxxx.com
*** MESSAGE CONTENTS /var/spool/postfix/deferre
Received: by xxxxxx.com (Postfix, from userid 48)
id 100142A05C7; Thu, 19 Feb 2009 06:08:32 -0500 (EST)
Date: Thu, 19 Feb 2009 06:08:32 -0500
To: sarab_m25@yahoo.com
From: "ads@xxxxxx.com" <ads@xxxxxx.com>
Subject: =?UTF-8?B?2LPYp9mE2YbYp9mF
Message-ID: <a884b5f55f5e62fe2e59ca3c8
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Transfer-Encoding:
Content-Type: text/html; charset="UTF-8"
<h1 style="text-align: center; "> ساÙ
ÙاÙ
٠ساÙ
1388 Ù
خصÙص اÛÙترÙت</h1>
<h2 style="text-align: center; "><a href="http://www.iran.bz/detail.php?vendors=51080199&id=26&AdsID=1639&ads_type=6">تÙضÛØات بÛشتر ٠خرÛد پستÛ</a></h2>
*** HEADER EXTRACTED /var/spool/postfix/deferre
named_attribute: encoding=8bit
original_recipient: sarab_m25@yahoo.com
recipient: sarab_m25@yahoo.com
*** MESSAGE FILE END /var/spool/postfix/deferre
it mentions domain1.com in it. is that where i should look? I will also look at apache log next.
ASKER
oklit,
Should/can i run this in Putty?
for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postdrop -d $id; done
Should/can i run this in Putty?
for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postdrop -d $id; done
ASKER
oklit,
when i run the command in Putty i get:
postdrop: invalid option -- d
postdrop: fatal: usage: postdrop [-c config_dir] [-v]
when i run the command in Putty i get:
postdrop: invalid option -- d
postdrop: fatal: usage: postdrop [-c config_dir] [-v]
ASKER
Sir, you are the man. Thank you for your help.
Sorry for delay - I was with my family at swimming pool :)
My mistake - I was trying to be too fast probably. It's not postdrop, but postsuper.
So, command should be:
for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postsuper -d $id; done
(or to delete everything as it is - including emails processed at the time of running this command: postsuper -d ALL).
And yes - you should run this from your terminal (but I see, that you already know this :)).
Provided email was sent from your local host, by user Apache (so - it is some website - some buggy one or some webmail), with PHPMailer software.
Now, you have to find out which webpage are sending this (examine apache access logs for some additional informations).
My mistake - I was trying to be too fast probably. It's not postdrop, but postsuper.
So, command should be:
for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postsuper -d $id; done
(or to delete everything as it is - including emails processed at the time of running this command: postsuper -d ALL).
And yes - you should run this from your terminal (but I see, that you already know this :)).
Provided email was sent from your local host, by user Apache (so - it is some website - some buggy one or some webmail), with PHPMailer software.
Now, you have to find out which webpage are sending this (examine apache access logs for some additional informations).
ASKER
thanks for the quick response. here is the results of postconf -n:
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailbox_transport = lmtp:unix:/var/lib/imap/so
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mime_header_checks = regexp:/etc/postfix/mime_h
mydestination = $myhostname, $mydomain, localhost.$mydomain, mail.$mydomain, loc alhost, localhost.localdomain
mydomain = mail.xxxxx.com
myhostname = xxxxx.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfi
notify_classes = resource, software
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictio
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/httpd/certs/xxxxxx.ca
smtpd_tls_cert_file = /etc/httpd/certs/xxxxxx.cr
smtpd_tls_key_file = /etc/httpd/certs/myserver.
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_ti
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_re
virtual_alias_maps = hash:/etc/postfix/virtual