Postfix is totally fsck'd...

Mike Klinke lsomike at futzin.com
Sat Jan 31 17:22:39 UTC 2004


On Saturday 31 January 2004 10:16, Lorenzo Prince wrote:
> I am guessing this has taken place over the last couple of days.  I
> first saw that I was getting fewer messages than usual.  This was
> not a problem, because I just thought that fewer people were
> sending messages.  Well, the problem got worse.  I now stopped
> receiving messages through fetchmail which I know should come every
> day without fail.  Then it started taking a long time to receive my
> cron messages.  I didn't receive a message yesterday that I should
> have gotten in the afternoon, and naturally, I thought it was the
> server that sent it, (maybe something to do with this latest virus
> slowing down the server.  So I started sending test messages
> through the local server.  I sent about 5 tests and lost all of
> them.  I then checked the maillog
>
> grep postfix /var/log/maillog |less
>
> and according to the log, someone has found my postfix and is
> trying to use it as a relay to try to send hundreds or possibly
> thousands of messages to what looks like an alphabetical list of
> AOL users.  The problem is that Postfix seems to actually be
> relaying these messages and then picking up the bounces from AOL
> and relaying them back to the sender who has an empty from address.
>  I don't understand, however, how or why this is happening, as I
> have postfix configured to only accept local relays, and the log is
> saying the messages are coming from a remote sender.  When I do the
> relay test at mail-abuse.org, it tells me that my system appears to
> reject relay attempts.  I ended up having to switch my MTA to
> Sendmail, because Postfix is so backed up to the point that my
> system takes almost 5 minutes to boot, and messages delivered from
> local users to local users aren't even getting through anymore. 
> What can I do to solve the Postfix problem? What can I do to stop
> this relaying even though Postfix is configured not to relay from
> remote connections at all?  I started using postfix when I heard
> that sendmail had a history of insecurity.  Is this better now? 
> Should I just start using sendmail instead of Postfix?
>
> Thanks for any help
> PRINCE

Capture some of your smtp traffic with tcpdump and maybe you'll get an 
idea of the mechanism someone is using against your machine.  It may 
help you to zero in on the configuration parameter you need to check 
or point to some other problem.

Something like:

tcpdump -s 1500 port 25 -w capture.dump

Regards, Mike Klinke





More information about the fedora-list mailing list