Hello... I got this suspeckt message from logcheck. Can anybody tell my what has been going on on my server?. Code: Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Aug 26 00:10:52 www postfix/smtp[28270]: C2E9623E0B4A: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=5, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 00:27:49 www postfix/smtp[28487]: E7DB623E0CC3: to=<[email protected]>, relay=mail.aaron-wright.com[67.19.105.202], delay=5, status=bounced (host mail.aaron-wright.com[67.19.105.202] said: 550 Appears to be a dictionary attack (in reply to RCPT TO command)) Aug 26 00:40:45 www postfix/smtp[28978]: AD22E23E0CD3: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 01:10:34 www postfix/smtp[30031]: 8B0B823E0CFF: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 01:10:44 www postfix/smtp[30019]: 08B6523E0CED: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=2, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:174:Type=ASN1_PRINTABLE: Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=value, Type=X509_NAME_ENTRY: Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542: Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542: Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=issuer, Type=X509_CINF: Aug 26 01:23:57 www postfix/smtp[30547]: warning: TLS library problem: 30547:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509: Aug 26 01:28:51 www postfix/smtp[30607]: B686923E0BAD: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=3, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 01:32:39 www postfix/smtp[30566]: 8105223E0C58: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=2, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 01:52:42 www postfix/smtp[31498]: 564D623E0A13: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=4, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 02:17:03 www postfix/smtp[32197]: 33A3123E02E1: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=26, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 02:37:46 www postfix/smtp[413]: 0CB9123E074D: to=<[email protected]>, relay=smtp.secureserver.net[64.202.166.12], delay=13, status=bounced (host smtp.secureserver.net[64.202.166.12] said: 553 Attack detected. <http://unblock.secureserver.net/?ip=85.222.100.138> (in reply to RCPT TO command)) Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:174:Type=ASN1_PRINTABLE: Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=value, Type=X509_NAME_ENTRY: Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542: Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:542: Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=issuer, Type=X509_CINF: Aug 26 02:46:55 www postfix/smtp[872]: warning: TLS library problem: 872:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509: My server is 85.222.100.138 (well it is`nt I`ve changed it for this post). Thank you for any information on what happend here.
Your server seems to be blacklisted. Please make sure it isn't an open relay. Do you see lots of activity in your mail log?
Hi Falco Thank you for replying. My server is not open for relay, you have to give user name and password to send e-mail. Could it be that someone has broken a user password. How do I check if my server is used for spam, or have been compromised?.
Please check the known blacklist, like sorbs.net. What's the output of Code: postconf -n | grep mynetworks and Code: postconf -d | grep mynetworks ?
Output of "postconf -n | grep mynetworks" Code: smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,rejec t_unauth_destination Output of "postconf -d | grep mynetworks" Code: mynetworks = 127.0.0.0/8 85.222.100.0/24 mynetworks_style = subnet parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks} smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
Are you authorized to use securenet for SMTP? I'd check their FAQ for what they mean by the error. Is "85.222.100.0/24" representing your internal net and *not* your public IP? .You could be over quota for outbound SMTP at securenet. . If you are doing SASL/TLS to the outbound you might have problems with the postfix setup. . Can you send via another outbound server or directly?
Please run Code: postconf -e 'mynetworks = 127.0.0.0/8' and restart Postfix, otherwise anybody from the 85.222.100.0 subnet can abuse your server for spamming.
