Errors, errors everywhere

Discussion in 'Installation/Configuration' started by Nebhead, Oct 20, 2015.

  1. Nebhead

    Nebhead New Member

    Hi all,
    I am having a whole tonne of email related problems and my google-fu is letting me down - thus I turn to you all for help.
    I am seeing the following in various logfiles:

    Mail Log
    Code:
    Oct 20 13:14:51 hades postfix/smtp[18321]: 2BFEA596698: to=<[email protected]>, relay=none, delay=331542, delays=331538/0.58/4/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=gmail.gr type=MX: Host not found, try again)
    Oct 20 13:14:51 hades postfix/smtp[18325]: 28FEC5966B5: host mail.saint-gobain.com[192.109.148.16] refused to talk to me: 554-mail.saint-gobain.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
    Oct 20 13:14:51 hades postfix/smtp[18216]: 8B5B5256A1: host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]
    Oct 20 13:14:52 hades postfix/smtp[18257]: 5B78F59693B: host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]
    Oct 20 13:14:52 hades postfix/smtp[18325]: 28FEC5966B5: to=<[email protected]>, relay=mail9.saint-gobain.com[192.109.148.15]:25, delay=331457, delays=331452/0.58/4.7/0, dsn=4.0.0, status=deferred (host mail9.saint-gobain.com[192.109.148.15] refused to talk to me: 554-mail9.saint-gobain.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
    Oct 20 13:14:52 hades postfix/smtp[18200]: E463025096: host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]
    Oct 20 13:14:52 hades postfix/smtp[18320]: E370D5968FE: host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]
    Oct 20 13:14:56 hades postfix/smtp[18287]: certificate verification failed for smtp-in.sfr.fr[93.17.128.165]:25: untrusted issuer /C=FR/O=Certplus/CN=Class 2 Primary CA
    Oct 20 13:14:56 hades postfix/smtp[18216]: 8B5B5256A1: to=<[email protected]>, relay=smtp-in.orange.fr[80.12.242.9]:25, delay=323774, delays=323764/0.15/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102])
    Oct 20 13:14:57 hades postfix/smtp[18257]: 5B78F59693B: to=<[email protected]>, relay=smtp-in.orange.fr[80.12.242.9]:25, delay=327867, delays=327856/0.38/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102])
    Oct 20 13:14:57 hades postfix/smtp[18320]: E370D5968FE: to=<[email protected]>, relay=smtp-in.orange.fr[193.252.22.65]:25, delay=327991, delays=327980/0.58/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102])
    Oct 20 13:14:57 hades postfix/smtp[18200]: E463025096: to=<[email protected]>, relay=smtp-in.orange.fr[193.252.22.65]:25, delay=432889, delays=432878/0.58/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102])
    Oct 20 13:14:57 hades postfix/qmgr[3545]: E463025096: from=<[email protected]>, status=expired, returned to sender
    Oct 20 13:14:57 hades postfix/cleanup[18128]: 8B884237D3: message-id=<[email protected]>
    Oct 20 13:14:57 hades postfix/bounce[18233]: E463025096: sender non-delivery notification: 8B884237D3
    Oct 20 13:14:57 hades postfix/qmgr[3545]: 8B884237D3: from=<>, size=3758, nrcpt=1 (queue active)
    Oct 20 13:14:57 hades postfix/qmgr[3545]: E463025096: removed
    Oct 20 13:14:57 hades postfix/smtp[18294]: 8B884237D3: to=<[email protected]>, relay=none, delay=0.01, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for emmacheyne.com loops back to myself)
    Oct 20 13:14:57 hades postfix/qmgr[3545]: 8B884237D3: removed
    Oct 20 13:14:58 hades postfix/smtp[18274]: certificate verification failed for cluster1a.uk.messagelabs.com[85.158.139.103]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
    Oct 20 13:14:58 hades postfix/smtp[18274]: C6244595F8D: to=<[email protected]>, relay=cluster1a.uk.messagelabs.com[85.158.139.103]:25, delay=353679, delays=353667/0.49/12/0.03, dsn=4.0.0, status=deferred (host cluster1a.uk.messagelabs.com[85.158.139.103] said: 421 Service Temporarily Unavailable (in reply to RCPT TO command))
    Oct 20 13:15:01 hades postfix/smtp[18231]: 0BB605961BC: host etb-1.mail.tiscali.it[213.205.33.63] refused to talk to me: 554 imp-1.mail.tiscali.it XQF11r01i5FVNl601 IP: 178.79.181.243, You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/178.79.181.243 You are listed in Spamhaus ZEN
    Oct 20 13:15:01 hades postfix/smtpd[18108]: connect from localhost.localdomain[127.0.0.1]
    Oct 20 13:15:01 hades postfix/smtpd[18108]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
    Oct 20 13:15:01 hades postfix/smtpd[18108]: disconnect from localhost.localdomain[127.0.0.1]
    Oct 20 13:15:01 hades pop3d: Connection, ip=[::ffff:127.0.0.1]
    Oct 20 13:15:01 hades pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    
    Mail Warn-Log:
    Code:
    Oct 20 13:11:55 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure
    Oct 20 13:11:57 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure
    Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: SASL authentication failure: Password verification failed
    Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure
    Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: SASL authentication failure: Password verification failed
    Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure
    Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure
    Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure
    Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: SASL authentication failure: Password verification failed
    Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure
    Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure
    Oct 20 13:12:29 hades postfix/smtpd[18108]: warning: unknown[222.236.44.34]: SASL LOGIN authentication failed: authentication failure
    Oct 20 13:24:19 hades postfix/smtpd[18960]: warning: 69.12.86.131: address not listed for hostname 69.12.86.131.static.quadranet.com
    
    I *think* I have two problems:
    * First, something somewhere is compromised, and sending out loads of spam emails. I've disabled the clients/mailboxes/etc associated with the domain popping up in the logs (emmacheyne.com), but that doesn't seem to be stopping them.
    * Second, I think there may be an SSL/email configuration issue, as I'm getting authentication failures from accounts which should be able to log in.

    EDIT: I'm using ISP Config 3 on Ubuntu 10.04.4 LTS


    Any help and suggestions for resolutions would be greatly appreciated!

    Thanks,
    Ben
     
    Last edited: Oct 20, 2015
  2. Nebhead

    Nebhead New Member

    (Logs are much-shortened to fit within the forum's max character limit)
     
  3. Nebhead

    Nebhead New Member

    The test script gives me the following:

    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    IP-address(es) (as per ifconfig): ***.***.***.***
    [INFO] ISPConfig is installed.
    [WARN] /usr/local/ispconfig/server/lib/config.inc.php is missing.
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 5.3.2-1ubuntu4.30
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    [WARN] I found no "submission" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this.
    
    ##### RUNNING SERVER PROCESSES #####
    
    [WARN] I could not determine which web server is running.
    [WARN] I could not determine which mail server is running.
    [WARN] I could not determine which pop3 server is running.
    [WARN] I could not determine which imap server is running.
    [WARN] I could not determine which ftp server is running.
    
    ##### LISTENING PORTS #####
    (only  ()
    Local  (Address)
    [localhost]:10024  (-)
    [localhost]:10025  (-)
    [anywhere]:3306  (-)
    [localhost]:783  (-)
    [anywhere]:8080  (-)
    [anywhere]:80  (-)
    [anywhere]:8081  (-)
    [anywhere]:465  (-)
    [anywhere]:21  (-)
    ***.***.***.***:53  (-)
    [localhost]:53  (-)
    [anywhere]:22  (-)
    [anywhere]:25  (-)
    [localhost]:953  (-)
    [anywhere]:443  (-)
    *:*:*:*::*:993  (-)
    *:*:*:*::*:995  (-)
    [localhost]10  (-)
    [localhost]43  (-)
    *:*:*:*::*:465  (-)
    *:*:*:*::*:21  (-)
    *:*:*:*::*:53  (-)
    *:*:*:*::*:22  (-)
    *:*:*:*::*:25  (-)
    *:*:*:*::*:953  (-)
    
    
     
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Sounds like a broken/incomplete ispconfig install; fixing that might help both your mail issues. Does ISPconfig work at all? (Maybe the web gui works, but nothing in the backend seems to change/work ?)
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    And check the number of emails in the mail queue with "postqueue -p". For me it looks as if your server is sending spam e.g. through a hacked website or hacked email account.
     
  6. Nebhead

    Nebhead New Member

    ISPConfig itself seems to be working fine, it's just that mail clients can't authenticate. I saw that error, but can't seem to force a reconfiguration as I'm already on the latest version, and have no idea how to go about manually resolving that missing file.

    I think so too, but I'm not sure how to identify which account is compromised. I have disabled all accounts associated with the domain email is being sent from, but it doesn't appear to have stopped it.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    download the ispconfig tar.gz file, unpack it and run the update.php script inside the install folder.

    run:

    postqueue -p

    to see whats in the mailqueue. Then use:

    postcat -q QUEUEID

    to inspect one of the emails. In the headers of the mail you should be able to see if it is sent by an authenticated account or by a php script.
     
  8. Nebhead

    Nebhead New Member

    Great, the test script now shows no errors:

    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    IP-address(es) (as per ifconfig): ***.***.***.***
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.0.5.4p8
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 5.3.2-1ubuntu4.30
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    [WARN] I found no "submission" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this.
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
      Apache 2 (PID 27107)
    [INFO] I found the following mail server(s):
      Postfix (PID 25705)
    [INFO] I found the following pop3 server(s):
      Courier Mailserver (PID 27048)
    [INFO] I found the following imap server(s):
      Courier Mailserver (PID 27008)
    [INFO] I found the following ftp server(s):
      PureFTP (PID 27132)
    
    ##### LISTENING PORTS #####
    (only  ()
    Local  (Address)
    [localhost]:10024  (25941/amavisd)
    [localhost]:10025  (25705/master)
    [anywhere]:3306  (25549/mysqld)
    [localhost]:783  (2766/spamd.pid)
    [anywhere]:8080  (27107/apache2)
    [anywhere]:80  (27107/apache2)
    [anywhere]:8081  (27107/apache2)
    [anywhere]:465  (25705/master)
    [anywhere]:21  (27132/pure-ftpd)
    ***.***.***.***:53  (2603/named)
    [localhost]:53  (2603/named)
    [anywhere]:22  (2748/sshd)
    [anywhere]:25  (25705/master)
    [localhost]:953  (2603/named)
    [anywhere]:443  (27107/apache2)
    *:*:*:*::*:993  (27031/couriertcpd)
    *:*:*:*::*:995  (27071/couriertcpd)
    [localhost]10  (27048/couriertcpd)
    [localhost]43  (27008/couriertcpd)
    *:*:*:*::*:465  (25705/master)
    *:*:*:*::*:21  (27132/pure-ftpd)
    *:*:*:*::*:53  (2603/named)
    *:*:*:*::*:22  (2748/sshd)
    *:*:*:*::*:25  (25705/master)
    *:*:*:*::*:953  (2603/named)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target  prot opt source  destination
    fail2ban-ssh  tcp  --  [anywhere]/0  [anywhere]/0  multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target  prot opt source  destination
    
    Chain OUTPUT (policy ACCEPT)
    target  prot opt source  destination
    
    Chain fail2ban-ssh (1 references)
    target  prot opt source  destination
    RETURN  all  --  [anywhere]/0  [anywhere]/0
    

    I've figured out that it's a PHP script sending the spam, within the web files of the client account I've already deactivated. Is there a simple way to disable that user account, to stop everything under that user running, until I can patch things up? Or should I just delete the user (and therefore everything associated with them) and set them up again from scratch?

    Thanks,
    Ben
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Open website settings of this site, uncheck the active checkbox and press save.
     

Share This Page