*Update* I did get that ruleset up and allowed ONLY the webservers 25, and started it up. I tested by trying to telnet into 25 from the FW itself and got nothing. Telnet from the webservers and got right in. While that was going, mail was still flying by, so yes something webserver wise is being used.
So I guess the question changes to how do I debug remote to see what server/page is passing the mail to the postfix box. Thanks On Thu, Feb 23, 2012 at 4:06 PM, lance raymond <lance.raym...@gmail.com>wrote: > ok, but my 1st issue is I am 99% sure that 25 is blocked at the primary > FW, so I am guessing they could be getting to the webservers, using > something there which is allowed to send to the public IP of the mailserver > (there on different networks). > > I can try to patch over and use only the private, but can I see from > postfix if it's direct or relaying from the webserver, and if so, add some > details like what page name, etc.? > > Tnx, I am writing a quick iptables script to block everything but 22 and > 25 from the webservers, so that will eliminate one thing. The reason I > don't think it's that is when I test the mailserver with numerous online > tests, it passes them all which is why I think there doing something on the > webservers to send the mail which is why I want to get the referrer. > > Thanks > > > On Thu, Feb 23, 2012 at 3:59 PM, Wietse Venema <wie...@porcupine.org>wrote: > >> lance raymond: >> > Feb 23 15:23:55 notices postfix/smtpd[539]: disconnect from >> > unknown[publicIP] >> >> Postfix has received a connection on the public IP address. >> >> > Feb 23 15:23:55 notices postfix/qmgr[7445]: 8477291A158: from=< >> > supp...@cashbullets.com>, size=3206, nrcpt=1 (queue active) >> >> Postfix has received mail that claims to be from supp...@cashbullets.com. >> This message is queued as 8477291A158. >> >> > Feb 23 15:23:55 notices postfix/error[519]: 8477291A158: to=< >> > tribeg...@yahoo.com>, relay=none, delay=0.14, delays=0.08/0.02/0/0.04, >> > dsn=4.7.1, status=deferred (delivery temporarily suspended: host >> > mta6.am0.yahoodns.net[209.191.88.254] refused to talk to me: 421 4.7.1 >> > [TS03] All messages from publicIP will be permanently deferred; Retrying >> > will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html) >> >> Yahoo rejects the mail in the message queued as 8477291A158. >> >> > Feb 23 15:23:55 notices postfix/smtp[494]: 8B5F591A159: to=< >> > supp...@cashbullets.com>, relay=cashbullets.com[184.173.7.143]:25, >> > delay=0.35, delays=0.05/0.02/0.13/0.15, dsn=2.0.0, status=sent (250 OK >> > id=1S0fFJ-0005t >> >> This is a DIFFERENT email message (8B5F591A159), that Postfix sends >> to supp...@cashbullets.com, to inform them that the messsage could >> not be delivered. >> >> Apparently your problem is that Postfix is accepting SPAM on the >> public IP address. >> >> Wietse >> > >
