On Mon, Nov 05, 2012 at 05:18:23PM -0500, thorso...@lavabit.com wrote:
> Jeroen:
> > You may want to invest some time in learning the basics of email
> > and system administration; this list is not the place for that.
>
> I'm willing to learn. I assume that the best way to learn is to
> configure my own mail server. Am I wrong?
Learning by doing, and by reference to documentation, is the best
method indeed. Be advised that mail admin has prerequisites, and if
you're weak in those, the documentation might not make sense in
places. Among the prerequisites: familiarity with general Unix;
familiarity with your particular flavor thereof; basic understanding
of IP networking and troubleshooting; basic knowledge of SMTP and
email protocols (which parts do what, and why, and how); basic to
medium understanding of DNS, particularly in regard to how Internet
mail routing is controlled.
As P@rick rightly pointed out, we will help here with prerequisites.
But Jeroen's right too: you should not expect this mailing list to
take the place of all those things.
> >> Should I follow this [1] advice:
>
> > No. What do you think is the problem ?
>
> I thought that my server was compromised.
One of the first things I decided when I started learning system
administration was:
*** DON'T PANIC!!! ***
When you see something you don't understand, let that be your first
thought: "I don't understand this." If you think "my server was
compromised" every time you see something you don;t understand, you
won't do well, and you might drive yourself crazy in the process of
failure.
> I also thought that it can be used to organize a DDoS attack on
> my server. That's why I decided to configure fail2ban.
>
> Could you disprove (or comment on) the above?
Other posters tried to explain those logs you did not understand.
Please refer back to those posts.
1. Sometimes mail clients will connect and decide that they are
unable to complete their transaction as planned. There is no means
within the SMTP protocol and extensions for a client to tell the
server its reasoning. If you control the client, refer to client
logs.
2. If a connecting client lacks FCrDNS, Postfix will log it as
"unknown".
3. pickup(8):
"
NAME
pickup - Postfix local mail pickup
SYNOPSIS
pickup [generic Postfix daemon options]
DESCRIPTION
The pickup(8) daemon waits for hints that new mail has
been dropped into the maildrop directory, and feeds it
into the cleanup(8) daemon.
..."
In real terms, logging from pickup(8) means that someone (a shell
user) or some process running on your system used sendmail(1) to send
mail. It's not unusual for operating systems to ship with default
cron jobs (see crontab(1) and your OS/distro documentation) which try
to send mail.
There is absolutely no evidence in this thread that you have had a
compromise. Again:
*** DON'T PANIC!!! ***
Something else I should point out: you used "/var/log/mail.info" as
the subject of this thread. Typically that file is an incomplete
representation of syslog(3) "mail" facility logs; these would only be
logs of the "info" priority level.
You should look for and rely upon whatever file you have which
receives "mail.*" logs (all syslog priorities of the "mail"
facility.)
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
