Hi all, I am having a whole tonne of email related problems and my google-fu is letting me down - thus I turn to you all for help. I am seeing the following in various logfiles: Mail Log Code: Oct 20 13:14:51 hades postfix/smtp[18321]: 2BFEA596698: to=<[email protected]>, relay=none, delay=331542, delays=331538/0.58/4/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=gmail.gr type=MX: Host not found, try again) Oct 20 13:14:51 hades postfix/smtp[18325]: 28FEC5966B5: host mail.saint-gobain.com[192.109.148.16] refused to talk to me: 554-mail.saint-gobain.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. Oct 20 13:14:51 hades postfix/smtp[18216]: 8B5B5256A1: host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102] Oct 20 13:14:52 hades postfix/smtp[18257]: 5B78F59693B: host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102] Oct 20 13:14:52 hades postfix/smtp[18325]: 28FEC5966B5: to=<[email protected]>, relay=mail9.saint-gobain.com[192.109.148.15]:25, delay=331457, delays=331452/0.58/4.7/0, dsn=4.0.0, status=deferred (host mail9.saint-gobain.com[192.109.148.15] refused to talk to me: 554-mail9.saint-gobain.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.) Oct 20 13:14:52 hades postfix/smtp[18200]: E463025096: host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102] Oct 20 13:14:52 hades postfix/smtp[18320]: E370D5968FE: host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102] Oct 20 13:14:56 hades postfix/smtp[18287]: certificate verification failed for smtp-in.sfr.fr[93.17.128.165]:25: untrusted issuer /C=FR/O=Certplus/CN=Class 2 Primary CA Oct 20 13:14:56 hades postfix/smtp[18216]: 8B5B5256A1: to=<[email protected]>, relay=smtp-in.orange.fr[80.12.242.9]:25, delay=323774, delays=323764/0.15/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]) Oct 20 13:14:57 hades postfix/smtp[18257]: 5B78F59693B: to=<[email protected]>, relay=smtp-in.orange.fr[80.12.242.9]:25, delay=327867, delays=327856/0.38/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]) Oct 20 13:14:57 hades postfix/smtp[18320]: E370D5968FE: to=<[email protected]>, relay=smtp-in.orange.fr[193.252.22.65]:25, delay=327991, delays=327980/0.58/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]) Oct 20 13:14:57 hades postfix/smtp[18200]: E463025096: to=<[email protected]>, relay=smtp-in.orange.fr[193.252.22.65]:25, delay=432889, delays=432878/0.58/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]) Oct 20 13:14:57 hades postfix/qmgr[3545]: E463025096: from=<[email protected]>, status=expired, returned to sender Oct 20 13:14:57 hades postfix/cleanup[18128]: 8B884237D3: message-id=<[email protected]> Oct 20 13:14:57 hades postfix/bounce[18233]: E463025096: sender non-delivery notification: 8B884237D3 Oct 20 13:14:57 hades postfix/qmgr[3545]: 8B884237D3: from=<>, size=3758, nrcpt=1 (queue active) Oct 20 13:14:57 hades postfix/qmgr[3545]: E463025096: removed Oct 20 13:14:57 hades postfix/smtp[18294]: 8B884237D3: to=<[email protected]>, relay=none, delay=0.01, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for emmacheyne.com loops back to myself) Oct 20 13:14:57 hades postfix/qmgr[3545]: 8B884237D3: removed Oct 20 13:14:58 hades postfix/smtp[18274]: certificate verification failed for cluster1a.uk.messagelabs.com[85.158.139.103]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 Oct 20 13:14:58 hades postfix/smtp[18274]: C6244595F8D: to=<[email protected]>, relay=cluster1a.uk.messagelabs.com[85.158.139.103]:25, delay=353679, delays=353667/0.49/12/0.03, dsn=4.0.0, status=deferred (host cluster1a.uk.messagelabs.com[85.158.139.103] said: 421 Service Temporarily Unavailable (in reply to RCPT TO command)) Oct 20 13:15:01 hades postfix/smtp[18231]: 0BB605961BC: host etb-1.mail.tiscali.it[213.205.33.63] refused to talk to me: 554 imp-1.mail.tiscali.it XQF11r01i5FVNl601 IP: 178.79.181.243, You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/178.79.181.243 You are listed in Spamhaus ZEN Oct 20 13:15:01 hades postfix/smtpd[18108]: connect from localhost.localdomain[127.0.0.1] Oct 20 13:15:01 hades postfix/smtpd[18108]: lost connection after CONNECT from localhost.localdomain[127.0.0.1] Oct 20 13:15:01 hades postfix/smtpd[18108]: disconnect from localhost.localdomain[127.0.0.1] Oct 20 13:15:01 hades pop3d: Connection, ip=[::ffff:127.0.0.1] Oct 20 13:15:01 hades pop3d: Disconnected, ip=[::ffff:127.0.0.1] Mail Warn-Log: Code: Oct 20 13:11:55 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure Oct 20 13:11:57 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: SASL authentication failure: Password verification failed Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: SASL authentication failure: Password verification failed Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: SASL authentication failure: Password verification failed Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure Oct 20 13:12:29 hades postfix/smtpd[18108]: warning: unknown[222.236.44.34]: SASL LOGIN authentication failed: authentication failure Oct 20 13:24:19 hades postfix/smtpd[18960]: warning: 69.12.86.131: address not listed for hostname 69.12.86.131.static.quadranet.com I *think* I have two problems: * First, something somewhere is compromised, and sending out loads of spam emails. I've disabled the clients/mailboxes/etc associated with the domain popping up in the logs (emmacheyne.com), but that doesn't seem to be stopping them. * Second, I think there may be an SSL/email configuration issue, as I'm getting authentication failures from accounts which should be able to log in. EDIT: I'm using ISP Config 3 on Ubuntu 10.04.4 LTS Any help and suggestions for resolutions would be greatly appreciated! Thanks, Ben
The test script gives me the following: Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** IP-address(es) (as per ifconfig): ***.***.***.*** [INFO] ISPConfig is installed. [WARN] /usr/local/ispconfig/server/lib/config.inc.php is missing. ##### VERSION CHECK ##### [INFO] php (cli) version is 5.3.2-1ubuntu4.30 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### [WARN] I found no "submission" entry in your postfix master.cf [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this. ##### RUNNING SERVER PROCESSES ##### [WARN] I could not determine which web server is running. [WARN] I could not determine which mail server is running. [WARN] I could not determine which pop3 server is running. [WARN] I could not determine which imap server is running. [WARN] I could not determine which ftp server is running. ##### LISTENING PORTS ##### (only () Local (Address) [localhost]:10024 (-) [localhost]:10025 (-) [anywhere]:3306 (-) [localhost]:783 (-) [anywhere]:8080 (-) [anywhere]:80 (-) [anywhere]:8081 (-) [anywhere]:465 (-) [anywhere]:21 (-) ***.***.***.***:53 (-) [localhost]:53 (-) [anywhere]:22 (-) [anywhere]:25 (-) [localhost]:953 (-) [anywhere]:443 (-) *:*:*:*::*:993 (-) *:*:*:*::*:995 (-) [localhost]10 (-) [localhost]43 (-) *:*:*:*::*:465 (-) *:*:*:*::*:21 (-) *:*:*:*::*:53 (-) *:*:*:*::*:22 (-) *:*:*:*::*:25 (-) *:*:*:*::*:953 (-)
Sounds like a broken/incomplete ispconfig install; fixing that might help both your mail issues. Does ISPconfig work at all? (Maybe the web gui works, but nothing in the backend seems to change/work ?)
And check the number of emails in the mail queue with "postqueue -p". For me it looks as if your server is sending spam e.g. through a hacked website or hacked email account.
ISPConfig itself seems to be working fine, it's just that mail clients can't authenticate. I saw that error, but can't seem to force a reconfiguration as I'm already on the latest version, and have no idea how to go about manually resolving that missing file. I think so too, but I'm not sure how to identify which account is compromised. I have disabled all accounts associated with the domain email is being sent from, but it doesn't appear to have stopped it.
download the ispconfig tar.gz file, unpack it and run the update.php script inside the install folder. run: postqueue -p to see whats in the mailqueue. Then use: postcat -q QUEUEID to inspect one of the emails. In the headers of the mail you should be able to see if it is sent by an authenticated account or by a php script.
Great, the test script now shows no errors: Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** IP-address(es) (as per ifconfig): ***.***.***.*** [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.0.5.4p8 ##### VERSION CHECK ##### [INFO] php (cli) version is 5.3.2-1ubuntu4.30 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### [WARN] I found no "submission" entry in your postfix master.cf [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this. ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 27107) [INFO] I found the following mail server(s): Postfix (PID 25705) [INFO] I found the following pop3 server(s): Courier Mailserver (PID 27048) [INFO] I found the following imap server(s): Courier Mailserver (PID 27008) [INFO] I found the following ftp server(s): PureFTP (PID 27132) ##### LISTENING PORTS ##### (only () Local (Address) [localhost]:10024 (25941/amavisd) [localhost]:10025 (25705/master) [anywhere]:3306 (25549/mysqld) [localhost]:783 (2766/spamd.pid) [anywhere]:8080 (27107/apache2) [anywhere]:80 (27107/apache2) [anywhere]:8081 (27107/apache2) [anywhere]:465 (25705/master) [anywhere]:21 (27132/pure-ftpd) ***.***.***.***:53 (2603/named) [localhost]:53 (2603/named) [anywhere]:22 (2748/sshd) [anywhere]:25 (25705/master) [localhost]:953 (2603/named) [anywhere]:443 (27107/apache2) *:*:*:*::*:993 (27031/couriertcpd) *:*:*:*::*:995 (27071/couriertcpd) [localhost]10 (27048/couriertcpd) [localhost]43 (27008/couriertcpd) *:*:*:*::*:465 (25705/master) *:*:*:*::*:21 (27132/pure-ftpd) *:*:*:*::*:53 (2603/named) *:*:*:*::*:22 (2748/sshd) *:*:*:*::*:25 (25705/master) *:*:*:*::*:953 (2603/named) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 I've figured out that it's a PHP script sending the spam, within the web files of the client account I've already deactivated. Is there a simple way to disable that user account, to stop everything under that user running, until I can patch things up? Or should I just delete the user (and therefore everything associated with them) and set them up again from scratch? Thanks, Ben