Just checking my daily logwatch file, i noticed an unknown IP address 184.22.56.206 and a postfix stress warning/Anvil limit reached warning - is someone sending spam messages from my server, or have they tried and failed due to the security settings?
Thanks, i had fail2ban monitoring postfix and dovecot but had SASL turned off I've since enabled sasl so hopefully that will stop this happening again [sasl] enabled = true port = smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log maxretry = 3
Hi, I also just analyzed my logwatch file from my Mailserver and I have a question regarding the "sent via smtp" section. It looks like this: Code: 3717 Sent via SMTP --------------------------------------------------------------------------- 647 gmail.com 270 my.fqdn.tld 158 domain_we_host.tdl 154 domain_we_host.tdl 142 domain_we_host.tdl 126 gmx.at 97 web.de 91 googlemail.com 84 yahoo.co.id 82 freenet.de 80 gawab.com 80 yahoo.de 79 hotmail.com 77 yahoo.com 76 aol.com 75 t-online.de 74 arcor.de 66 bigstring.com 65 inbox.com 64 zoho.com 60 gmx.net etc. My question is: Why is the top domain gmail.com? And why are there so many other domains we dont host on our server in the top smtp-senders? Does that suggest a Spam-Problem?
From what i can see 3717 emails were Sent via SMTP - is that in a 24 hour period? I believe the list of domains is how many emails were sent to each domain e.g. 79 emails were sent to a hotmail.com email address
Thanks! That makes a lot more sense - don't know why I didn't think of that... I wish there was some more in depth explanation of the logwatch output. There's a lot of guesswork involved - at least for me.
Most of the output assumes you understand how SMTP and mail services work. Try running postfix-logwatch in standalone mode, and increase the detail for any given section. This will give you a better picture of what you're seeing. MrC
