ok, but my 1st issue is I am 99% sure that 25 is blocked at the primary FW, so I am guessing they could be getting to the webservers, using something there which is allowed to send to the public IP of the mailserver (there on different networks).
I can try to patch over and use only the private, but can I see from postfix if it's direct or relaying from the webserver, and if so, add some details like what page name, etc.? Tnx, I am writing a quick iptables script to block everything but 22 and 25 from the webservers, so that will eliminate one thing. The reason I don't think it's that is when I test the mailserver with numerous online tests, it passes them all which is why I think there doing something on the webservers to send the mail which is why I want to get the referrer. Thanks On Thu, Feb 23, 2012 at 3:59 PM, Wietse Venema <wie...@porcupine.org> wrote: > lance raymond: > > Feb 23 15:23:55 notices postfix/smtpd[539]: disconnect from > > unknown[publicIP] > > Postfix has received a connection on the public IP address. > > > Feb 23 15:23:55 notices postfix/qmgr[7445]: 8477291A158: from=< > > supp...@cashbullets.com>, size=3206, nrcpt=1 (queue active) > > Postfix has received mail that claims to be from supp...@cashbullets.com. > This message is queued as 8477291A158. > > > Feb 23 15:23:55 notices postfix/error[519]: 8477291A158: to=< > > tribeg...@yahoo.com>, relay=none, delay=0.14, delays=0.08/0.02/0/0.04, > > dsn=4.7.1, status=deferred (delivery temporarily suspended: host > > mta6.am0.yahoodns.net[209.191.88.254] refused to talk to me: 421 4.7.1 > > [TS03] All messages from publicIP will be permanently deferred; Retrying > > will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html) > > Yahoo rejects the mail in the message queued as 8477291A158. > > > Feb 23 15:23:55 notices postfix/smtp[494]: 8B5F591A159: to=< > > supp...@cashbullets.com>, relay=cashbullets.com[184.173.7.143]:25, > > delay=0.35, delays=0.05/0.02/0.13/0.15, dsn=2.0.0, status=sent (250 OK > > id=1S0fFJ-0005t > > This is a DIFFERENT email message (8B5F591A159), that Postfix sends > to supp...@cashbullets.com, to inform them that the messsage could > not be delivered. > > Apparently your problem is that Postfix is accepting SPAM on the > public IP address. > > Wietse >
