On 2010-09-13 13:03, Richard Chapman wrote: > Hi again Jasper... I think we are in the home straight, but I still > have a couple of questions....:-) > > [snip] > As you can probably guess - I have fiddled with quite a few things > over the last few days - and may not have been as careful as I should > have to note what I've changed and when. Here are a few weird new > things... Maybe you can give me a clue what caused these. I have > included postconf -n below. > > 1) I have seen a lot of this in the last 2 days: > Sep 13 17:49:35 C5 postfix/smtpd[12397]: connect from > mail-iw0-f174.google.com[209.85.214.174] > Sep 13 17:49:35 C5 postfix/smtpd[12397]: warning: Illegal address syntax from > mail-iw0-f174.google.com[209.85.214.174] in MAIL command: > <boo...@95.58.45.186> > Sep 13 17:49:36 C5 postfix/smtpd[12397]: disconnect from > mail-iw0-f174.google.com[209.85.214.174] > Sep 13 17:50:07 C5 postfix/smtpd[12397]: connect from localhost[127.0.0.1] > Sep 13 17:50:07 C5 postfix/smtpd[12397]: warning: Illegal address syntax from > localhost[127.0.0.1] in MAIL command: <vice...@123.24.198.232> > Sep 13 17:50:07 C5 postfix/smtpd[12397]: warning: Illegal address syntax from > localhost[127.0.0.1] in MAIL command: <cy...@116.118.47.120> > Sep 13 17:50:07 C5 postfix/smtpd[12397]: warning: Illegal address syntax from > localhost[127.0.0.1] in MAIL command: <ja...@59.99.152.46> > Sep 13 17:50:07 C5 postfix/smtpd[12397]: disconnect from localhost[127.0.0.1] > Sep 13 17:53:27 C5 postfix/anvil[12399]: statistics: max connection rate > 1/60s for (smtp:209.85.214.174) at Sep 13 17:49:35 > Sep 13 17:53:27 C5 postfix/anvil[12399]: statistics: max connection count 1 > for (smtp:209.85.214.174) at Sep 13 17:49:35 > Sep 13 17:53:27 C5 postfix/anvil[12399]: statistics: max cache size 1 at Sep > 13 17:49:35 > > Even weirder: > Sep 13 17:56:22 C5 postfix/postfix-script: starting the Postfix mail system > Sep 13 17:56:22 C5 postfix/master[12586]: daemon started -- version 2.3.3, > configuration /etc/postfix > Sep 13 18:00:07 C5 postfix/smtpd[12802]: connect from localhost[127.0.0.1] > Sep 13 18:00:07 C5 postfix/smtpd[12802]: warning: Illegal address syntax from > localhost[127.0.0.1] in MAIL command: <vice...@123.24.198.232> > Sep 13 18:00:07 C5 postfix/smtpd[12802]: warning: Illegal address syntax from > localhost[127.0.0.1] in MAIL command: <cy...@116.118.47.120> > Sep 13 18:00:07 C5 postfix/smtpd[12802]: warning: Illegal address syntax from > localhost[127.0.0.1] in MAIL command: <ja...@59.99.152.46> > Sep 13 18:00:08 C5 postfix/smtpd[12802]: 12E981D22332: > client=localhost[127.0.0.1] > Sep 13 18:00:08 C5 postfix/cleanup[12806]: 12E981D22332: > message-id=<4c8e029b.c076b...@avaya.com> > Sep 13 18:00:08 C5 postfix/qmgr[12588]: 12E981D22332: > from=<angeline_jeric...@avaya.com>, size=2464, nrcpt=1 (queue active) > Sep 13 18:00:08 C5 spamd[2532]: spamd: connection from localhost [127.0.0.1] > at port 43970 > Sep 13 18:00:08 C5 spamd[2532]: spamd: setuid to richard succeeded > Sep 13 18:00:08 C5 spamd[2532]: spamd: processing message > <4c8e029b.c076b...@avaya.com> for richard:500 > Sep 13 18:00:08 C5 postfix/smtpd[12802]: disconnect from localhost[127.0.0.1] > Sep 13 18:00:12 C5 spamd[2532]: spamd: identified spam (17.8/5.0) for > richard:500 in 4.8 seconds, 2592 bytes. > Sep 13 18:00:12 C5 spamd[2532]: spamd: result: Y 17 - > BAYES_99,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL > > scantime=4.8,size=2592,user=richard,uid=500,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=43970,mid=<4c8e029b.c076b...@avaya.com>,bayes=1.000000,autolearn=spam > > Sep 13 18:00:13 C5 postfix/local[12807]: 12E981D22332: > to=<rich...@localhost.aardvark.com.au>, orig_to=<rich...@localhost>, > relay=local, delay=4.9, delays=0.06/0.01/0/4.9, dsn=2.0.0, status=sent > (delivered to command: procmail) > Sep 13 18:00:13 C5 postfix/qmgr[12588]: 12E981D22332: removed > > > Note in the above case the illegal addresses seems to come from > "localhost" without any connection from elsewhere since the server was > restarted. I couldn't see anything stuck in the outgoing queue either. > > It looks like a virus somewhere - but I'm not sure where. All the > windows boxes here look well protected - but it almost looks like a > virus on the centos box.. Seems very weird. Or have I seriously broken > something?
I have noticed a few of those malformed addresses in my own logs, but not from localhost. Do you run a content_filter or something similar that would reinject mails to localhost? This definitely looks suspicious; judging by the fact you run Postfix 2.3.3, there may be old (and vulnerable) software on that machine. You should look into this. > 2) You may recall that rchapman is an alias to richard on the local > server. If I send email from a local client with rchap...@aardvark... > as the from address - it arrives back with "rich...@aardvark... as the > from address. I'm pretty sure this is new behaviour (rewriting the > user-name) - and not ideal from my purposes. For reference - here is > postconf -n: Are you talking about envelope-from, header-from or both? What do you mean with "arrives back"? A bounce? Send a test mail to some remote account not handled by your mailserver, and check the raw message on that end to see how it arrives. Also check your own logs to see if any rewriting happens when sending the message. > [config details] > > 3) Also - you made reference to my virtual domain set up. I re-read > the virtual_readme and it looks to me like I am allowed to > "implicitly" specify the virtual domain in the /etc/postfix/virtual > file according to the procedure below: Yes, that is indeed possible because virtual_alias_domains defaults to virtual_alias_maps. I had forgotten about that. > [docs excerpt] > > Am I misinterpreting this? This is what my /etc/postfix/virtual file > looks like - including the first line... > > Thanks again for all your help. I have learned a lot - and would never > have got here without your help. > > > Richard. > > > > -- > Richard Chapman >
