On Tue, May 28, 2013 at 02:30:29PM +0800, Ramesh wrote: > Our mail server configured Postfix version 2.4.5 with mailmarshal
2.4.5 is very old. Is the rest of the system this old? Have you kept up with all your OS distributor's security updates? Likewise, have you kept up-to-date on any software you might have installed outside the OS's packaging system? > as content filter, recently mail server not responding because of > huge mail queue, content filter cpu usage is 100%, my investigation > found more than 18k mails are in que, sender email address is > m...@zbavitu.net > > I have manually deleted mails in content filter queue and deferred > mails in mail server, now mail server functioning normally. Did you save a spample (sample of the spams)? > I wanted to investigate weather our mail server compromised or > content filter (windows machine) infected. Generally I would not suspect Postfix of compromise, but there are numerous attack vectors which are being probed every day on every Internet-connected machine. Does the Postfix machine also run a web server? A name server? An [in]secure shell server? There have been numerous known exploits of those services over the years since Postfix 2.4.5 (2007-07-31, nearly six years ago.) > Please suggest methods to investigate so that will take precautions > in future the same will not repeat. Specific suggestions would depend on knowing what happened. You would need to share logs which show the *origin* of at least one of the spams. An exploit on the Postfix machine itself would show logs from "postfix/pickup" from the compromised account. Of course, privilege escalation is a possibility as well, and you must rule that out. If you do not, logs (and everything!) are of dubious value. Given the age of the Postfix, and the fact that 2.4.5 itself was 11 patchlevels behind the final update of Postfix 2.4 in 2011, I think the best advice is to reinstall a recent release of your OS of choice. > I would like to know how to load balancing mail server, due to > above issue mail server was down for 24 hours, we have secondary mx > which queues mails when primary mx is down, Is there any method > where users can send or receive mails from secondary mx when > primary is down. That is not trivial, and is a matter outside the purview of Postfix. What you'd need is load balancing on your mail store, not your MTA. When Postfix delivers a message, it is done with it. Postfix offers the administrator the postsuper(1) and postcat(1) tools for dealing with the queue and viewing queued mail, but these tools are not suitable for end users (and I would absolutely not recommend trying to work around that with a web frontend!) Generally the best answer for people asking this is to improve the security and reliability of the primary MX host, and do away with your secondary MX spam magnet. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
