From: Conall O'Brien (conall+postfixconall.net)
Date: Sat Apr 01 2006 - 12:28:14 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I've just noticed that my 2 backup MX postfix servers appear to have
sent more emails than I expect in a day, especially since my primary MX
is running fine.

Investigating my mail.logs, has produced some interesting logs which
look like:

Apr 1 04:33:19 castor postfix/cleanup[21583]: B9CE3775:
message-id=<20060401043319.B9CE3775castor.asclepian.ie>
Apr 1 04:33:19 castor postfix/qmgr[21148]: B9CE3775: from=<>,
size=52034, nrcpt=1 (queue active)
Apr 1 04:33:22 castor postfix/smtp[21586]: B9CE3775:
to=<qvqlsfullermotion.com>, relay=mail13.webcontrolcent
er.com[216.119.106.129], delay=3, status=sent (250 OK)
Apr 1 04:33:22 castor postfix/qmgr[21148]: B9CE3775: removed

The complete collection suspicious logs for both servers are available
at http://icarus.asclepian.ie/~conall/suspicious.logs

I've considered the possibility of scatterback, which is an issue I
haven't specifically addressed previously, but grepping mail.log files
on my other MX servers for mentioned domain names reveals that in most
cases, this isn't scatterback (I did find 1 case). I'm also a little
suspicious because the message ID looks a little bit too deterministic
for my liking, looking at the least significant digits.

Hence I'd like to know if anyone else has seen this before. Any help is
appreciated...

Both server's are almost identically configured, diffing the output of
postconf -n shows only different values for $myhostname ,
$smtpd_tls_cert_file and $smtpd_tls_key_file . Hence, below is the
postconf -n output for one server.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
myhostname = castor.asclepian.ie
mynetworks = 127.0.0.0/8
myorigin = $myhostname
recipient_delimiter = +
relay_domains = $mydestinations, $mx_backups
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_sasl_authenticated,
reject_invalid_hostname,
        reject_unlisted_sender, reject_non_fqdn_sender,
reject_non_fqdn_recipien
t, reject_unknown_sender_domain, reject_unknown_recipient_domain,
p
ermit_mynetworks, reject_unauth_destination,
reject_rbl_client blackh
oles.mail-abuse.org, reject_rbl_client relays.ordb.org,
reject_rbl_clien
t sbl-xbl.spamhaus.org
smtpd_recipient_restrictions = permit_sasl_authenticated,
check_policy_ser
vice inet:127.0.0.1:60000, check_relay_domains,
reject_unauth_destinatio
n, permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/certs/castor.asclepian.ie.crt
smtpd_tls_key_file = /etc/ssl/private/castor.asclepian.ie.key
smtpd_use_tls = yes
tls_daemon_random_source = dev:/dev/urandom
tls_random_source = dev:/dev/urandom

--

Conall O'Brien

http://www.conall.net

GPG Key: http://www.conall.net/gpg/

Eagles may soar, but weazels don't get sucked into jet engines.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFELsY+Vg0IYe59x04RAheBAJwLIRDJPA+IzFCEnlo/YCB7llkT9QCfVtuT
PRZ4c7fWBPH5J+NEHV3Z5/I=
=mVIC
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]