Postfix Problems: Server sending mail to members.linode.com
It was only a few days ago after installing logwatch that I realized Postifx has a ton of errors and has been like this for some time. It seems to be attempting to send mail to
Some other highlights:
1) Some mail is from
2) Some "from" fields are blank, they just say <>
3) One of the emails is from www-data to noreply@crushyourcompetition. status "bounced" . I haven't sent any emails to that website. Maybe this is the key? Some files in my wordpress installs were chowned www-data but I fixed that. Not sure if that was an intrusion of any sort.
4) The reverse IP is set up correctly to my hostname (dig -x my server IP shows my hostname correctly listed). For a long time it wasn't and web page form mail and google apps still worked. However, now that I have it correctly I still see the same old errors in the mail.info log.
5) Using the following webpage to debug Postfix,
6) The server is able to send emails to me from logwatch successfully.
7) I tried to set up logrotate to send mail but it didn't recognize the "mail command" so I gave up.
In any case, I do not want my server sending spam of any kind, if thats what is going on here. I cannot figure out which program on my server is trying to send mail at all.
If you want to see the mail.info log for the past day or so, here's a pastebin link
The pastebin for my Postfix main.cf file here here:
Notes: my domains are edited out also. This only becomes a problem for me where $mydomain should be left as is? Following the VPSbible.com tut thats how some of it was left in question. My comments are highlighted and prefixed by a double # to indicate where I'm a bit confused.
Thanks for any info you can provide.
Best regards
Jane
6 Replies
@forumstalker:
Some other highlights:
2) Some "from" fields are blank, they just say <>
Most bounce mail (vacation notices too) use a null sender. That is normal.
> 3) One of the emails is from www-data to noreply@crushyourcompetition. status "bounced" . I haven't sent any emails to that website. Maybe this is the key? Some files in my wordpress installs were chowned www-data but I fixed that. Not sure if that was an intrusion of any sort.
Indication that your Website is sending email. The web server is owned by www-data so any email it sends will use that.
> 4) The reverse IP is set up correctly to my hostname (dig -x my server IP shows my hostname correctly listed). For a long time it wasn't and web page form mail and google apps still worked. However, now that I have it correctly I still see the same old errors in the mail.info log.
You provided no info to diagnose your DNS.
> 7) I tried to set up logrotate to send mail but it didn't recognize the "mail command" so I gave up.
No info provided on how you tried to set it up.
> If you want to see the mail.info log for the past day or so, here's a pastebin link
Obfuscated Data… If you can't figure it out, provide real data.
Thanks for responding to my post and for offering any help you can provide. I responded to some of your questions below:
> You provided no info to diagnose your DNS.
I'm not really sure how to diagnose my DNS thoroughly/properly. I used the "check" feature in the linode DNS admin panel and they all say "OK." Otherwise from observing how a few people have checked DNS in this email forum,
Here is the dig x my IP
; <<>> DiG 9.7.0-P1 <<>> -x XXX.XXX.XXX.XX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21095
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;XX.XXX.XXX.XXX.in-addr.arpa. IN PTR
;; ANSWER SECTION:
XX.XXX.XXX.XXX.in-addr.arpa. 86400 IN PTR myhost.mydomain.com.
;; AUTHORITY SECTION:
XXX.XXX.XXX.in-addr.arpa. 86400 IN NS ns1.linode.com.
XXX.XXX.XXX.in-addr.arpa. 86400 IN NS ns4.linode.com.
XXX.XXX.XXX.in-addr.arpa. 86400 IN NS ns5.linode.com.
XXX.XXX.XXX.in-addr.arpa. 86400 IN NS ns3.linode.com.
XXX.XXX.XXX.in-addr.arpa. 86400 IN NS ns2.linode.com.
;; Query time: 32 msec
;; SERVER: XX.XXX.XXX.X#XX(XX.XXX.XXX.4)
;; WHEN: Thu Jul 5 06:00:53 2012
;; MSG SIZE rcvd: 185
Linked below is a screenshot of what logwatch reports for Postfix here. If you need any more information let me know.
> 7) I said: I tried to set up logrotate to send mail but it didn't recognize the "mail command" so I gave up.
You said: No info provided on how you tried to set it up.
I added a "mail" command to the stanza in my "allwebsites" file in the logrotate.d folder, just like below:
/home/username/pathtomywordpresslogs/*/log/*log
{
rotate 5
daily
compress
delaycompress
sharedscripts
postrotate
mail me@myemailaddress.com
/etc/init.d/nginx restart
endscript
}
Doing a test verbose (vfd?) logrotate run gives me an "unexpected text" error. No logs have ever been sent to me.
> I said: If you want to see the mail.info log for the past day or so, here's a pastebin link…
You said: Obfuscated Data… If you can't figure it out, provide real data.
Here is a look at it without the redacted IPs. The members.linode IP is not my server IP. My server IP is very different from this.
A small sample of it is here:
Jul 5 09:00:49 myhost postfix/qmgr[2247]: E6673633C5: from=<>, size=3003, nrcpt=1 (queue active)
Jul 5 09:00:49 myhost postfix/smtp[4263]: connect to members.linode.com[67.18.186.61]:25: Connection refused
Jul 5 09:00:49 myhost postfix/smtp[4264]: connect to members.linode.com[67.18.186.61]:25: Connection refused
Jul 5 09:00:49 myhost postfix/smtp[4263]: CECFC633F6: to=<root@members.linode.com>, relay=none, delay=267101, delays=267101/0.3/0.05/0, dsn=4.4.1, status=deferred (connect to members.linode.com[67.18.186.61]:25: Connection refused)
Jul 5 09:00:49 myhost postfix/smtp[4264]: AC8D8633EC: to=<root@members.linode.com>, relay=none, delay=178897, delays=178897/0.06/0.05/0, dsn=4.4.1, status=deferred (connect to members.linode.com[67.18.186.61]:25: Connection refused)
Jul 5 09:00:49 myhost postfix/smtp[4265]: connect to members.linode.com[67.18.186.61]:25: Connection refused
Jul 5 09:00:49 myhost postfix/smtp[4265]: E6673633C5: to=<root@members.linode.com>, relay=none, delay=354892, delays=354892/0.04/0.05/0, dsn=4.4.1, status=deferred (connect to members.linode.com[67.18.186.61]:25: Connection refused)
Jul 5 09:10:48 myhost postfix/qmgr[2247]: 5EF7C633E4: from=<>, size=2934, nrcpt=1 (queue active)
Jul 5 09:10:48 myhost postfix/qmgr[2247]: BF9A663404: from=<>, size=2947, nrcpt=1 (queue active)
Jul 5 09:10:48 myhost postfix/smtp[4281]: connect to members.linode.com[67.18.186.61]:25: Connection refused
Jul 5 09:10:48 myhost postfix/smtp[4282]: connect to members.linode.com[67.18.186.61]:25: Connection refused
Jul 5 09:10:48 myhost postfix/smtp[4281]: 5EF7C633E4: to=<root@members.linode.com>, relay=none, delay=92852, delays=92852/0.01/0.05/0, dsn=4.4.1, status=deferred (connect to members.linode.com[67.18.186.61]:25: Connection refused)
Jul 5 09:10:48 myhost postfix/smtp[4282]: BF9A663404: to=<root@members.linode.com>, relay=none, delay=9001, delays=9001/0.01/0.04/0, dsn=4.4.1, status=deferred (connect to members.linode.com[67.18.186.61]:25: Connection refused)</root@members.linode.com></root@members.linode.com></root@members.linode.com></root@members.linode.com></root@members.linode.com>
Thanks again.
P. S. My /etc/aliases file reads:
root: myusername
#myorigin = /etc/mailname
myorigin = $mydomain
Full code listed in the postfix main.cf here:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
##myorigin = /etc/mailname
myorigin = $mydomain
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = myhost.mydomain.co
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#mydestination = myhost.mydomain.com, XXXXX.members.linode.com, localhost.members.linode.com, localhost
mydestination = $mydomain, localhost.$mydomain, localhost
relayhost =
#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
@forumstalker:
mydestination = $cigarettegirl, localhost.$cigarettegirl, localhost
Don't put the $ in front of a literal string - it is used to represent a variable reference.
In other words:
$mydomain is OK
$mail.example.com should just be mail.example.com
If you have set $mydomain correctly (which it appears you now have), you probably want something more like
mydestination = $mydomain, localhost.$mydomain, localhost
EDIT:
Actually, now reading your original post it isn't clear to me where you want the mail generated by your server to end up. If you expect it to reach a google account, then you really just want mydestination to contain the localhost entries and maybe a $myhostname.
I tried changing my hostname setting to the following:
hostname = $myhostname
After I restarted Postfix I got the following error message:
postfix: fatal: dictionary mail_dict: macro processing error
[fail]
So I went to the backup main.cf I had when Postfix was initially installed and put it back to
myhostname = liXXX-XX.members.linode.com
Restarting Postfix didn't report any errors. Though I'm not sure if it should remain that way or back to my original setting of:
hostname =myhost.mydomain
I also removed the "$"s from the mydestination variable and still have the same error messages in my mail.info log.
mydestination = mydomain, localhost.mydomain, localhost
Best
Jane