• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 668
  • Last Modified:

Postfix trying to send email for unknown users of my domains

I am looking in my  /var/log/maillog and i have:

1- a lot of these entries:
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1545F1B090E: to=<tarahansabzworld@yahoo.com>, relay=none, delay=70215, delays=70215/0.01/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host c.mx.mail.yahoo.com[216.39.53.2] refused to talk to me: 421 4.7.0 [TS01] Messages from xxx.xxx.xxx.xxx temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D9972220A4: from=<ads@domain1.com>, size=7638, nrcpt=1 (queue active)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D9972220A4: to=<AGh.Rab_2227@yahoo.com>, relay=none, delay=44946, delays=44946/0.01/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host c.mx.mail.yahoo.com[216.39.53.2] refused to talk to me: 421 4.7.0 [TS01] Messages from xxx.xxx.xxx.xxx temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D8C61AF95D: from=<ads@domain1.com>, size=7634, nrcpt=1 (queue active)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1D8C61AF95D: to=<yashar_58t@yahoo.com>, relay=none, delay=72517, delays=72517/0.01/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host c.mx.mail.yahoo.com[216.39.53.2] refused to talk to me: 421 4.7.0 [TS01] Messages from xxx.xxx.xxx.xxx temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Feb 15 07:29:28 myhostname postfix/qmgr[2587]: 1970F1AFEA8: from=<ads@domain1.com>, size=7645, nrcpt=1 (queue active)

2- 75000+ email messages queed up for delivery

I do not do mailing lists this is for just 5 domains with about 3 email users per domain.

the user   ads@domain1.com  does not even exist in my user list.  my question is 5 part:
1-what likely happened
2-how do i clear it up
3-how do i stop it(changes to postfix conf main.cf?) from happening
4-is there a good program to prevent it happening again (spam assin)?
5-damage control, how do i find out if im now blacklisted and how do i fix tha

here is part of my main.cf
 
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks,
   reject_unauth_destination,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_pipelining,
   # reject_unknown_reverse_client_hostname,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client opm.blitzed.org,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl.spamhaus.org,
   permit

Open in new window

0
knightdogs
Asked:
knightdogs
  • 6
  • 3
1 Solution
 
Maciej SsysadminCommented:
0. Please provide your entire main.cf (or better - output of "postconf -n" command).
1. you may have some webmail or html form which allows sending emails through your postfix without authentication (permit_mynetworks)
2. look at 0. :) Secure your html forms (if you have them)
3. look at 2.
4. postfix configuration should be enough, look at 0.
5. http://www.robtex.com/rbl/  http://mxtoolbox.com/blacklists.aspx
0
 
knightdogsAuthor Commented:
oklit,

thanks for the quick response.  here is the results of postconf -n:

alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = $myhostname, $mydomain, localhost.$mydomain, mail.$mydomain, loc                                             alhost, localhost.localdomain
mydomain = mail.xxxxx.com
myhostname = xxxxx.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
notify_classes = resource, software
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,    permit_mynetworks,                                                reject_unauth_destination,   reject_invalid_hostname,   reject_non_fqdn_hostna                                             me,   reject_non_fqdn_sender,   reject_non_fqdn_recipient,   reject_unknown_send                                             er_domain,   reject_unknown_recipient_domain,   reject_unauth_pipelining,   reje                                             ct_rbl_client zen.spamhaus.org,   reject_rbl_client opm.blitzed.org,   reject_rb                                             l_client list.dsbl.org,   reject_rbl_client sbl.spamhaus.org,   permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/httpd/certs/xxxxxx.ca-bundle
smtpd_tls_cert_file = /etc/httpd/certs/xxxxxx.crt
smtpd_tls_key_file = /etc/httpd/certs/myserver.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = hash:/etc/postfix/virtual
0
 
knightdogsAuthor Commented:
oklit,
on 1. is there a way to look at a log or queed email to see what form might be doing this?

also i have 75918 queed emails, where can i look to delet them ( instead of in webmin , at 22 a screen that is a lot of screens to go thru to delete!)

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Maciej SsysadminCommented:
Your config file looks ok, so I assume, that it's caused by some html form used to send emails or you are using webmail, which allows users changing From header in their emails.

To check your queue: "mailq" or "postqueue -p".
To examine your queued emails you may use postcat command:
postcat /var/spool/postfix/deferred/1/1545F1B090E (this is of course example based on your first post with 1545F1B090E email deferred).
You should be then able to find real sender of this email (still - I'm guessing, that it will be 127.0.0.1 or other ip which belongs to your server).
Check also your apache access logfiles - maybe you have some buggy website, which allows sending emails.

To delete all your queued emails you may use "postdrop -d ALL" command - this will delete every email in your queue (even those, which are processed at the moment).
To delete only deferred emails you may use simple oneliner:
for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postdrop -d $id; done

As you have near 76k emails, deleting them can take a while.
0
 
knightdogsAuthor Commented:
oklit

here is the output of    postcat /var/spool/postfix/deferred/1/100142A05C7         :

*** ENVELOPE RECORDS /var/spool/postfix/deferred/1/100142A05C7 ***
message_size:             779             159               1               0
message_arrival_time: Thu Feb 19 06:08:32 2009
create_time: Thu Feb 19 06:08:32 2009
named_attribute: rewrite_context=local
sender_fullname: Apache
sender: ads@xxxxxx.com
*** MESSAGE CONTENTS /var/spool/postfix/deferred/1/100142A05C7 ***
Received: by xxxxxx.com (Postfix, from userid 48)
        id 100142A05C7; Thu, 19 Feb 2009 06:08:32 -0500 (EST)
Date: Thu, 19 Feb 2009 06:08:32 -0500
To: sarab_m25@yahoo.com
From: "ads@xxxxxx.com" <ads@xxxxxx.com>
Subject: =?UTF-8?B?2LPYp9mE2YbYp9mF2Ycg2LPYp9mEIDEzODg=?=
Message-ID: <a884b5f55f5e62fe2e59ca3c88c9babb@www.domain1.com>
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="UTF-8"

<h1 style="text-align: center; ">&nbsp;ساÙ
                                            ÙاÙ
٠ساÙ
        1388 Ù
خصÙص اÛÙترÙت</h1>
<h2 style="text-align: center; "><a href="http://www.iran.bz/detail.php?vendors=51080199&id=26&AdsID=1639&ads_type=6">تÙضÛحات بÛشتر ٠خرÛد پستÛ</a></h2>
*** HEADER EXTRACTED /var/spool/postfix/deferred/1/100142A05C7 ***
named_attribute: encoding=8bit
original_recipient: sarab_m25@yahoo.com
recipient: sarab_m25@yahoo.com
*** MESSAGE FILE END /var/spool/postfix/deferred/1/100142A05C7 ***


it mentions  domain1.com in it. is that where i should look?  I will also look at apache log next.
0
 
knightdogsAuthor Commented:
oklit,

Should/can i run this in Putty?

for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postdrop -d $id; done


0
 
knightdogsAuthor Commented:
oklit,

when i run the command in Putty i get:

postdrop: invalid option -- d
postdrop: fatal: usage: postdrop [-c config_dir] [-v]
0
 
knightdogsAuthor Commented:
Sir, you are the man.  Thank you for your help.
0
 
Maciej SsysadminCommented:
Sorry for delay - I was with my family at swimming pool :)

My mistake - I was trying to be too fast probably. It's not postdrop, but postsuper.

So, command should be:
for id in `mailq | grep "^[0-9A-Z]" | awk '{print $1}' | grep -v "\*$"`; do postsuper -d $id; done

(or to delete everything as it is - including emails processed at the time of running this command: postsuper -d ALL).

And yes - you should run this from your terminal (but I see, that you already know this :)).

Provided email was sent from your local host, by user Apache (so - it is some website - some buggy one or some webmail), with PHPMailer software.
Now, you have to find out which webpage are sending this (examine apache access logs for some additional informations).
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now