I am getting complaints about outbound mail going into spam, yahoo is complaining about deferring mail, and I am seeing a lot of odd messages in the mail.log file, will give examples shortly.
We use google enterprise for our corporate domain to receive so the inhouse mail server is used for the webservers to send forgot passwords, classified posts, etc. Those webservers are behind a load balancer but will all come from one IP. The postfix server has one public IP and the perimeter firewall has almost all ports locked down, so from the public, even a telnet IP 25 fails. The config file looks rather basic with the only thing I need to provide would be; relayhost = mynetworks = 127.0.0.0/8 publicIP/32 192.168.2.0/24 (private network) The error in the logs as a sample are; Feb 23 15:23:55 notices postfix/qmgr[7445]: 8477291A158: from=< supp...@cashbullets.com>, size=3206, nrcpt=1 (queue active) Feb 23 15:23:55 notices postfix/smtpd[539]: disconnect from unknown[publicIP] Feb 23 15:23:55 notices postfix/error[519]: 8477291A158: to=< tribeg...@yahoo.com>, relay=none, delay=0.14, delays=0.08/0.02/0/0.04, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta6.am0.yahoodns.net[209.191.88.254] refused to talk to me: 421 4.7.1 [TS03] All messages from publicIP will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html) Feb 23 15:23:55 notices postfix/smtp[494]: 8B5F591A159: to=< supp...@cashbullets.com>, relay=cashbullets.com[184.173.7.143]:25, delay=0.35, delays=0.05/0.02/0.13/0.15, dsn=2.0.0, status=sent (250 OK id=1S0fFJ-0005t Now, naturally you could guess that cashbullets.com is NOT my domain, so I was thinking people were using a classified form to submit the info, but it say's relay=cashbullets.com with their public IP so that has me puzzled. There are other ones in the logs similar to that, now I can start to pick them apart, block those IP's to narrow it down, but is there anything else I can do to get more verbose info in the logs, or other ideas what/why/how this is being accessed as I am pretty confident via firewall there not just getting in, so there doing something at the remote webserver, but need to get more details. Let me know if I need to provide anything else that could help. Thanks.
