I'm walking through a week's worth of "leaks" through my filters etc., closing
the holes.
Most have been clear enough to trace & remediate.
This one has me a bit stymied. I'm not sure I have enough info to make out
what's in fact going on.
I'm seeing 2 different IPs in play, and can't unwind which one's relevant. Any
comments/insight would help.
I've got
frontend
Postfix+postscreen
amavisd in a preQ filter, blocking extensions + clamav
backend
Postfix
amavisd clamav inbound & outbound
This particular 'leak' manifested as 3 internal-postmaster notices to me of
banned file extensions -- no quarantine. Which I what I've initially intended.
The notices informed of:
Banned name: FILE EXTENSION. Resend without attachment
type:.exe,.exe-ms,Internal_report_07072015.exe
Bad header:
MIME error: error: unexpected end of header; ; error: part did not
end with
expected boundary; ; error: unexpected end of parts before epilogue
Content type: Banned
Internal reference code for the message is 18021-09/akIF98V0zWO1
First upstream SMTP client IP address: [82.166.29.78]:24237
mail.tyrn.co.il
Received trace: ESMTP://[82.166.29.78]:24237 <
Microsoft_SMTP_Server://10.66.92.83
which got me looking at IP == 82.166.29.78.
Once I looked into my *logs*, What's got me puzzled is the 2 different IPs, (1)
& (2), I'm seeing:
/var/log/postfix/postfix.log
./postfix/postfix.log:Jul 5 12:38:53 mailhost
postfix/qmgr[2336]: 7E5815F742: from=<ubsgqer...@bmecollect.com>, size=59138,
nrcpt=1 (queue active)
./postfix/postfix.log:Jul 5 12:38:53 mailhost
postfix/postscreen-handoff/smtpd[25157]: proxy-reject: END-OF-MESSAGE: 554
5.7.0 Reject, id=18021-09 - BANNED: FILE EXTENSION. Resend without attachment
type:.exe,.exe-ms,Internal_report_07072015.exe;
from=<ubsgqer...@bmecollect.com> to=<us...@dddd1.com> proto=ESMTP
helo=<my.firewall>
./postfix/postfix.log:Jul 5 12:38:54 mailhost
postfix/amavis-feed/smtp[25172]: 9CEDB5F742: to=<ubsgqer...@bmecollect.com>,
relay=127.0.0.1[127.0.0.1]:20003, delay=0.16, delays=0.05/0/0/0.11, dsn=2.0.0,
status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:11032): 250 2.0.0 Ok: queued
as C257E5F744)
(1) ./postfix/postfix.log:Jul 5 12:38:55 mailhost
postfix/smtp-out-ext/smtp[25175]: C257E5F744: enabling PIX workarounds:
disable_esmtp delay_dotcrlf for mail.bmecollect.com[207.108.137.131]:25
./postfix/postfix.log:Jul 5 12:38:55 mailhost
postfix/smtp-out-ext/smtp[25175]: C257E5F744: to=<ubsgqer...@bmecollect.com>,
relay=mail.bmecollect.com[207.108.137.131]:25, delay=0.43,
delays=0/0/0.35/0.08, dsn=5.0.0, status=bounced (host
mail.bmecollect.com[207.108.137.131] said: 550 No such user
(ubsgqer...@bmecollect.com) (in reply to RCPT TO command))
/var/log/amavisd/amavisd.log
./amavisd/amavisd.log:Jul 5 12:38:53 mailhost amavis[18021]:
(18021-09) ESMTP [127.0.0.1]:20000
/var/lib/amavisd/tmp/amavis-20150706T132852-18021-2z4EiIGq:
<ubsgqer...@bmecollect.com> -> <us...@dddd1.com> Received: from edge.DDDD.com
([127.0.0.1]) by localhost (mail.DDDD.com [127.0.0.1]) (amavisd-new, port
20000) with ESMTP for <us...@dddd1.com>; Sun, 5 Jul 2015 12:38:53 -0700 (PDT)
(2) ./amavisd/amavisd.log:Jul 5 12:38:53 mailhost amavis[18021]:
(18021-09) Checking: akIF98V0zWO1 INBOUND-PREQUEUE [82.166.29.78]
<ubsgqer...@bmecollect.com> -> <us...@dddd1.com>
./amavisd/amavisd.log:Jul 5 12:38:53 mailhost amavis[18021]:
(18021-09) akIF98V0zWO1(akIF98V0zWO1) SEND from <ubsgqer...@bmecollect.com> ->
<"postmaster\\\\"@DDDD1.com>, BODY=7BIT 250 2.0.0 from
MTA(smtp:[127.0.0.1]:11031): 250 2.0.0 Ok: queued as 7E5815F742
./amavisd/amavisd.log:Jul 5 12:38:54 mailhost amavis[17949]:
(17949-11) ESMTP [127.0.0.1]:20003
/var/lib/amavisd/tmp/amavis-20150706T131759-17949-L_vbE_Of: <> ->
<ubsgqer...@bmecollect.com> SIZE=4271 BODY=8BITMIME Received: from
amavis-feed.mail.DDDD.com ([10.1.0.25]) by localhost (mail.DDDD.com
[127.0.0.1]) (amavisd-new, port 20003) with ESMTP for
<ubsgqer...@bmecollect.com>; Sun, 5 Jul 2015 12:38:54 -0700 (PDT)
(3) ./amavisd/amavisd.log:Jul 5 12:38:54 mailhost amavis[17949]:
(17949-11) Checking: 4SLt3DcErUYR OUTBOUND-FROM-SMARTHOST/MYNETS [ ] <>
-> <ubsgqer...@bmecollect.com>
./amavisd/amavisd.log:Jul 5 12:38:54 mailhost amavis[17949]:
(17949-11) 4SLt3DcErUYR FWD from <> -> <ubsgqer...@bmecollect.com>, BODY=7BIT
250 2.0.0 from MTA(smtp:[127.0.0.1]:11032): 250 2.0.0 Ok: queued as C257E5F744
There's also (3) which looks like bad backscatter that looks like it's
originating on my backed -- need to find that and shut that off, too.
Why am I seeing different IPs at (1) & (2), and which is the blockable sender's
IP? I'm guessing only one is of functional interest to me ... In any case, I
suspect I've got some config-cleaning to do.
