[lug] Am I spamming? postfix log question

Quentin Hartman qhartman at gmail.com
Tue Sep 2 10:22:47 MDT 2014


It looks like someone attempted to send through you and your server is
trying to tell them it won't deliver it, but it can't because of their
malformed sender info. So, no, based on this, I don't think you are
spamming. However, your smtp server is perhaps being overly polite in
trying to tell the spammer it won't deliver the message. I would suggest
hardening off your config a little  more so that it will only accept
messages destined for you, and require some form of auth before accepting
send requests from clients. That way you won't clog up your system with
this sort of shenanigans. While you're in there it would be good to go over
the config more generally and make sure you are as optimal as possible.
There are lots of resources online that can be turned up with a search for
"hardening postfix".

QH


On Mon, Sep 1, 2014 at 12:59 PM, Chip Atkinson <chip at pupman.com> wrote:

> Hi folks,
>
> I'm going through my maillogs and I see entries like this:
>
> maillog-20140811:Aug  5 00:03:46 tedward postfix/cleanup[23181]:
> B64A11AE3AB2: message-id=<20140805060346.B64A11AE3AB2 at tedward.pupman.com>
>
> maillog-20140811:Aug  5 00:03:46 tedward postfix/qmgr[6868]: B64A11AE3AB2:
> from=<>, size=10913, nrcpt=1 (queue active)
>
> maillog-20140811:Aug  5 00:03:46 tedward postfix/bounce[23183]:
> 84C3A1AE3AA9: sender non-delivery notification: B64A11AE3AB2
>
> maillog-20140811:Aug  5 00:03:46 tedward postfix/smtp[23187]:
> B64A11AE3AB2: to=<BureauScores at natric.eu>, relay=hgsp68.natric.eu[162.253.152.22]:25,
> delay=0.24, delays=0/0.01/0.23/0, dsn=4.4.2, status=deferred (lost
> connection with hgsp68.natric.eu[162.253.152.22] while receiving the
> initial server greeting)
>
> maillog-20140811:Aug  5 00:12:38 tedward postfix/qmgr[6868]: B64A11AE3AB2:
> from=<>, size=10913, nrcpt=1 (queue active)
>
> maillog-20140811:Aug  5 00:12:38 tedward postfix/smtp[1505]: B64A11AE3AB2:
> to=<BureauScores at natric.eu>, relay=hgsp68.natric.eu[162.253.152.22]:25,
> delay=532, delays=532/0.01/0.19/0, dsn=4.4.2, status=deferred (lost
> connection with hgsp68.natric.eu[162.253.152.22] while receiving the
> initial server greeting)
>
> (Gaps added for clarity due to wrapping)
>
> To me it looks like my server got some email from "<>" and then tried to
> deliver to BureauScores at natric.edu.
>
> Is my interpretation correct, and if so, any suggestions on how to combat
> the problem?
>
> Here's postconf -n's output if that helps.
>
> Thanks in advance.
>
> Chip
>
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debug_peer_list = 167.88.120.115
> html_directory = no
> in_flow_delay = 1s
> inet_interfaces = all
> inet_protocols = ipv4
> local_recipient_maps =
> mail_owner = postfix
> mail_spool_directory = /var/spool/mail
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> masquerade_domains = pupman.com
> message_size_limit = 20480000
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
> mail.$mydomain, www.$mydomain, chip1.$mydomain,  tedward.pupman.com,
> www.pupman.com
> mydomain = pupman.com
> myhostname = tedward.pupman.com
> mynetworks = 127.0.0.0/8, 167.88.120.115 [::1]/128
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> owner_request_special = no
> proxy_interfaces = 167.88.120.115
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
> recipient_delimiter = +
> relay_domains = $mydestination, pupman.com,
> sample_directory = /usr/share/doc/postfix-2.6.6/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_client_restrictions = permit_mynetworks
> smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining,
> reject_unauth_destination
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,    reject_non_fqdn_hostname,
> reject_invalid_hostname,    permit
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,           reject_non_fqdn_sender,
> reject_non_fqdn_recipient,           reject_non_fqdn_hostname,
> reject_invalid_hostname,           reject_unauth_pipelining,
> reject_unauth_destination,      check_client_access hash:/etc/postfix/rbl_override,
>          reject_unknown_sender_domain, reject_unknown_recipient_domain,
>          reject_rbl_client zen.spamhaus.org,           reject_rbl_client
> dnsbl.njabl.net, reject_rbl_client bl.spamcop.net,
>  reject_rbl_client cbl.abuseat.org,           reject_rhsbl_helo
> dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org,           permit
> smtpd_sender_restrictions = permit_mynetworks,
> reject_unknown_sender_domain, reject_unknown_address
> unknown_local_recipient_reject_code = 550
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140902/f3a30b3e/attachment.html>


More information about the LUG mailing list