Hi Guys I need some help I am being spammed with crap and i dont know how to deal with this, i have never had it before. I think i have disabled the offenders account from sending but its bringin my server to a halt. Code: 2 postfix/smtp[10970]: connect to dnvrco-pub-iedge-vip.email.rr.com[107.14.73.70]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[11037]: 1B271706237D: to=<[email protected]>, relay=none, delay=2976, delays=2609/276/90/0, dsn=4.4.1, status=deferred (connect to mx.adista.fr[212.51.161.49]:25: Connection timed out) May 8 12:27:58 ns312472 postfix/smtp[10939]: connect to exdir-com.mail.eo.outlook.com[207.46.163.215]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10952]: connect to mta7.am0.yahoodns.net[66.196.118.36]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10978]: connect to mx2.free.fr[212.27.42.58]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[11008]: connect to antespam.com[206.166.194.225]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[11008]: 0A4697060C41: to=<[email protected]>, relay=none, delay=23017, delays=22950/37/30/0, dsn=4.4.1, status=deferred (connect to antespam.com[206.166.194.225]:25: Connection timed out) May 8 12:27:58 ns312472 postfix/smtp[11002]: connect to plato.mx25.net[207.200.28.36]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10967]: connect to mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[11012]: connect to mail.eceti.com[74.50.117.244]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[11015]: connect to mx4.mail.icloud.com[17.172.34.66]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10974]: connect to mx4.hotmail.com[65.55.92.152]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10963]: connect to olatheschools-com.mail.eo.outlook.com[207.46.163.215]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10967]: 033067062138: to=<[email protected]>, relay=none, delay=6287, delays=6219/37/30/0, dsn=4.4.1, status=deferred (connect to mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: Connection timed out) May 8 12:27:58 ns312472 postfix/smtp[10966]: connect to mail.b-io.co[50.16.235.100]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10974]: 9E2FA70622B5: to=<[email protected]>, relay=none, delay=2331, delays=1964/217/150/0, dsn=4.4.1, status=deferred (connect to mx4.hotmail.com[65.55.92.152]:25: Connection timed out) May 8 12:27:58 ns312472 postfix/smtp[11012]: 0A4697060C41: to=<[email protected]>, relay=none, delay=23018, delays=22950/37/30/0, dsn=4.4.1, status=deferred (connect to mail.eceti.com[74.50.117.244]:25: Connection timed out) May 8 12:27:58 ns312472 postfix/smtp[10963]: 13A507062459: to=<[email protected]>, relay=none, delay=2849, delays=2481/277/91/0, dsn=4.4.1, status=deferred (connect to olatheschools-com.mail.eo.outlook.com[207.46.163.215]:25: Connection timed out) May 8 12:27:58 ns312472 postfix/smtp[10966]: 95BA6706146B: to=<[email protected]>, relay=none, delay=18118, delays=17751/217/151/0, dsn=4.4.1, status=deferred (connect to mail.b-io.co[50.16.235.100]:25: Connection timed out) May 8 12:27:58 ns312472 postfix/smtp[11016]: connect to avbspam2.avalonprop.com[206.16.201.117]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10991]: connect to melmail01.isn.infoplex.com.au[119.77.8.10]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10991]: 78673706246E: to=<[email protected]>, relay=none, delay=2268, delays=1901/307/61/0, dsn=4.4.1, status=deferred (connect to melmail01.isn.infoplex.com.au[119.77.8.10]:25: Connection timed out) May 8 12:27:58 ns312472 postfix/smtp[10951]: connect to mail2.sitel.net[206.24.49.19]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10962]: connect to redred.com.mx1.arvig.rcimx.net[209.81.96.160]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10965]: connect to hudsonsalvage.com.mx1.megagate.rcimx.net[208.80.206.37]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10934]: connect to mx3.hotmail.com[65.55.37.120]:25: Connection timed out May 8 12:27:58 ns312472 postfix/smtp[10965]: 9B5E7706141C: to=<[email protected]>, relay=none, delay=18184, delays=17817/217/151/0, dsn=4.4.1, status=deferred (connect to hudsonsalvage.com.mx1.megagate.rcimx.net[208.80.206.37]:25: Connection timed out) May 8 12:27:59 ns312472 postfix/smtp[11010]: connect to gandycommunities-com01c.mail.protection.outlook.com[207.46.163.138]:25: Connection timed out May 8 12:27:59 ns312472 postfix/smtp[11021]: connect to mail.apc.net[209.223.136.74]:25: Connection timed out May 8 12:27:59 ns312472 postfix/smtp[11021]: 0854C70604AD: to=<[email protected]>, relay=none, delay=28710, delays=28642/37/30/0, dsn=4.4.1, status=deferred (connect to mail.apc.net[209.223.136.74]:25: Connection timed out) May 8 12:27:59 ns312472 postfix/smtp[10986]: connect to xo-com.mail.protection.outlook.com[207.46.163.215]:25: Connection timed out May 8 12:27:59 ns312472 postfix/smtp[10999]: connect to mx0a-000d4202.pphosted.com[67.231.145.47]:25: Connection timed out May 8 12:27:59 ns312472 postfix/smtpd[12443]: connect from leasedline-static-080-228-094-034.ewe-ip-backbone.de[80.228.94.34] May 8 12:27:59 ns312472 postfix/smtp[10971]: connect to mx5.mail.icloud.com[17.158.8.113]:25: Connection timed out May 8 12:27:59 ns312472 postfix/smtp[10971]: 9EF607060D7C: to=<[email protected]>, relay=none, delay=22339, delays=21971/218/150/0, dsn=4.4.1, status=deferred (connect to mx5.mail.icloud.com[17.158.8.113]:25: Connection timed out) May 8 12:27:59 ns312472 postfix/smtp[11011]: connect to mail.b-io.co[54.235.78.85]:25: Connection timed out May 8 12:27:59 ns312472 postfix/error[14119]: 7D8E8706144A: to=<[email protected]>, relay=none, delay=17951, delays=17583/368/0/0.06, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx5.mail.icloud.com[17.158.8.113]:25: Connection timed out) May 8 12:27:59 ns312472 postfix/error[14012]: 48E2E7061462: to=<[email protected]>, relay=none, delay=18130, delays=17762/368/0/0.06, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx5.mail.icloud.com[17.158.8.113]:25: Connection timed out) May 8 12:27:59 ns312472 postfix/error[14012]: warning: connect to mysql server 127.0.0.1: Too many connections May 8 12:27:59 ns312472 postfix/error[14012]: warning: mysql:/etc/postfix/mysql-virtual_relaydomains.cf: table lookup problem May 8 12:27:59 ns312472 postfix/error[14012]: warning: 48E2E7061462: flush service failure May 8 12:27:59 ns312472 postfix/error[14119]: warning: connect to mysql server 127.0.0.1: Too many connections May 8 12:27:59 ns312472 postfix/error[14119]: warning: mysql:/etc/postfix/mysql-virtual_relaydomains.cf: table lookup problem May 8 12:27:59 ns312472 postfix/error[14119]: warning: 7D8E8706144A: flush service failure May 8 12:27:59 ns312472 postfix/smtpd[12443]: warning: proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf lookup error for "[email protected]" May 8 12:27:59 ns312472 postfix/smtpd[12443]: NOQUEUE: reject: RCPT from leasedline-static-080-228-094-034.ewe-ip-backbone.de[80.228.94.34]: 451 4.3.0 <[email protected]>: Temporary lookup failure; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<leasedline-static-080-228-094-034.ewe-ip-backbone.de> May 8 12:27:59 ns312472 postfix/smtpd[12443]: disconnect from leasedline-static-080-228-094-034.ewe-ip-backbone.de[80.228.94.34] May 8 12:27:59 ns312472 postfix/smtp[11007]: connect to braxtonculler-com.mail.protection.outlook.com[207.46.163.247]:25: Connection timed out Is there anything i can do? Thanks Lee
Run: postqueue -p to get a list of the mails in the queue, then use th postcat command to inspect one of thes emials to ensure that you tracked down the right sender. Example for ID 590ED4DC2D34 postcat /var/spool/postfix/deferred/5/590ED4DC2D34 Check if there is a uthenticaed sender header, thats the sending account. If there is no such header, check if there is a X PHp header that shows the name of the sending script. When the email is sent trough an authenticated user, then change its password and restart postfix, saslauthd and dovecot to ensure that the old password is not cached.
Hi Till Thanks for that. I have changed the users password, is there a way to delete all the defered emails, there are alot L
Hi Thanks, sorry for this When i run mailq | grep allmaintenance.biz | awk {'print $1′} | postsuper -d - it just does mailq | grep allmaintenance.biz | awk {'print $1′} | postsuper -d - > and it doesnt do anything. At least i am learning something! KRs Lee PS I fixed it, i took postfix offline and postsuper -d ALL Thank you so much for your help, i have had loads of phone calls, as i use imap and it was making it crawl. Will stay subed, as i have for the past 3 months!
Hi Till I am mostly there now, but now most of my clients emails are not getting to their external receipents. Im guessing that we are marked as spam, is there anything i can do at all? KRs Lee
Check your server at some rbl query service like http://multirbl.valli.org If it is listed you might request a de-listing but that depends on the provider of each list.
Thanks Croydon I am on 5, and i have registered to be removed from two of them. I will monitor over the weekend, and prey that my clients can send emails. Is it worth trying to use the failover IP to send emails out from. Also i have been seeing this, but from various amounts of ips over the past few days. May 8 22:49:34 ns312472 postfix/smtpd[4538]: warning: unknown[31.31.107.247]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Any ideas, its alway the same user atempt, but a different IP. Should i just ignore it. Its about 1 x minute. KRs Lee
You might try using another ip for sending mails, but I don't think a failover IP is a good idea for that. Keep in mind that you have to adjust DNS and RDNS settings, too. Regarding the imap: I cannot tell you whether it is an attack or a user that has set up a wrong passwort in mail client.
HI Guys Is there anything i can do from being seen as spam. My clients are just getting returned emails like >: host mx1.maildefender.net[195.90.97.115] said: 550 Rejected by content scanner (CMAE). See host mx.avasin.plus.net[212.159.8.200] said: 552 Spam Message Rejected (in reply to end of DATA command) said: 550 csi.mimecast.org Poor Reputation Sender. - Is it just easier to ask OVH for a new IP address, and reset all the DNS up? Is there something the scanner can do on the way out? Our reputation is good, and we do not appear to be on any blacklists. Using Debian 7 if this makes any difference. Sorry im being a pain, its causing me frustration and i dont really know how to deal with it. Kind Regards Lee PS i have also found this: DKIM (Domain Keys Identified Mail) Check Domain Keys is a framework wherein a domain owner specifies a public key (or a set of public keys) in domain's DNS records and signs all outgoing emails with one or more keys. A recipient email server can then verify if the email actually came from the Domain specified. If the recipient email server finds that the keys do not match what is published, it can reject the emails. Alternately, when an email from this domain is authenticated using the keys, recipient can accept it as genuine and bypass SPAM checks. Specifying Domain Key records for your domain and signing all your outgoing emails reduces the chances that emails from your domain will be considered as SPAM and thus increases the deliverability of your Emails. ____ Email does not contain any DKIM/Domain Keys Signature and the published Domain Keys policy does not specify whether to accept or reject unsigned Emails. Signing your Outbound emails and clearly specifying a policy to accept signed emails will minimize chances of your Email being considered as SPAM. ____ BATV is a mechanism wherein an outgoing Email server adds a tag to the Envelope From address of all outgoing Emails. For example, if an Email address goes out with From address as <[email protected]>, the Envelope From is changed to <prvs=SBDGAUJ=[email protected]>, where 'SBDGAUJ' is the added tag. This tag is generated using an internal mechanism and is different for each email sent. If any bounce is received by the Incoming email servers, they are checked to see if the Bounce address has the proper tag (in above case 'SBDGAUJ'). If not, the email is rejected. BATV ensures that your Email users do not become a victim of bounce floods. Is this easy to implement?
You can ebale dkim in the current ispconfig version by using the patch from Florian: http://blog.schaal-24.de/dkim/?lang=en https://git.schaal-24.de/ispconfig/dkim
Besides what till said you should ensure you are really not sending out spam. If for any reason (e. g. hacked websites or smtp accounts) the server is sending spam, neither dkim will help nor a new ip address will.
Thanks for the link Till, I will check them out. Croydon, I am definitely not sending out spam. I only host a few domains and they are friends and familys etc. Our reputation has gone from poor to good over the last few days.
Right, im mostly set. relay=none, delay=0.19, delays=0.16/0/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused) How can i get it to accept locally on 10026, see below the inserted, from the script, that i had to do manually, as it was upset that i was on ISP P6. $inet_socket_port = [10024,10026]; $forward_method = 'smtp:[127.0.0.1]:10025'; $notify_method = 'smtp:[127.0.0.1]:10027'; $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = {originating => 1,smtpd_discard_ehlo_keywords => ['8BITMIME'],forward_method => 'smtp:[127.0.0.1]:10027',}; @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16); $signed_header_fields{'received'} = 0; $enable_dkim_verification = 1; $enable_dkim_signing = 1; @dkim_signature_options_bysender_maps = ({ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
Hi Till It was my bad, i added the lines to the file, but in the wrong location, so i cp over to /etc/amavis/cond.d/ and restarted and it worked! I am happy to announce, that so far, so good, and emails are getting through, even to Gmail (Normally they go in spam) Is there a limit i can put in place so that if an authenticated user ever became compromised again, it would act something like f2ban, in the fact that if you send more that 20 emails per 10 seconds, you get shut down? Thank you once again, i hopefully have a smooth sailing hosting box going forward. Have been using isp for a very long time, (i think i started at V2) and this is the first time that i have really come up against something. I may as well ask, are there any other measures i should investigate going forward, to help secure/strengthen my installation?
you can do such limits with policyd. Thats a policyd damein that implements email amount quotas for postfix.
You can also use smtpd_client_message_rate_limit (The maximum number of message delivery requests that an SMTP client may make in the time interval specified with anvil_rate_time_unit (default: 60s).).
