On 7/6/2015 6:39 PM, PGNd wrote: > I'm walking through a week's worth of "leaks" through my filters etc., > closing the holes. > > Most have been clear enough to trace & remediate. > > This one has me a bit stymied. I'm not sure I have enough info to make out > what's in fact going on. > I'm seeing 2 different IPs in play, and can't unwind which one's relevant. > Any comments/insight would help. > > I've got > > frontend > Postfix+postscreen > amavisd in a preQ filter, blocking extensions + clamav > > backend > Postfix > amavisd clamav inbound & outbound > > This particular 'leak' manifested as 3 internal-postmaster notices to me of > banned file extensions -- no quarantine. Which I what I've initially > intended. The notices informed of: > > Banned name: FILE EXTENSION. Resend without attachment > type:.exe,.exe-ms,Internal_report_07072015.exe > Bad header: > MIME error: error: unexpected end of header; ; error: part did not > end with > expected boundary; ; error: unexpected end of parts before epilogue > Content type: Banned > Internal reference code for the message is 18021-09/akIF98V0zWO1 > > First upstream SMTP client IP address: [82.166.29.78]:24237 > mail.tyrn.co.il
This is amavisd-new's guess from the received headers, which is /usually/ correct. If you discarded the mail then you lose valuable diagnostic information. The rest of the postmaster notice is not particularly helpful. Your mail system seems overly complicated. > > Received trace: ESMTP://[82.166.29.78]:24237 < > Microsoft_SMTP_Server://10.66.92.83 > > which got me looking at IP == 82.166.29.78. > > > Once I looked into my *logs*, What's got me puzzled is the 2 different IPs, > (1) & (2), I'm seeing: > > > /var/log/postfix/postfix.log > ./postfix/postfix.log:Jul 5 12:38:53 mailhost > postfix/qmgr[2336]: 7E5815F742: from=<ubsgqer...@bmecollect.com>, size=59138, > nrcpt=1 (queue active) > ./postfix/postfix.log:Jul 5 12:38:53 mailhost > postfix/postscreen-handoff/smtpd[25157]: proxy-reject: END-OF-MESSAGE: 554 > 5.7.0 Reject, id=18021-09 - BANNED: FILE EXTENSION. Resend without attachment > type:.exe,.exe-ms,Internal_report_07072015.exe; > from=<ubsgqer...@bmecollect.com> to=<us...@dddd1.com> proto=ESMTP > helo=<my.firewall> > ./postfix/postfix.log:Jul 5 12:38:54 mailhost > postfix/amavis-feed/smtp[25172]: 9CEDB5F742: to=<ubsgqer...@bmecollect.com>, > relay=127.0.0.1[127.0.0.1]:20003, delay=0.16, delays=0.05/0/0/0.11, > dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:11032): 250 2.0.0 > Ok: queued as C257E5F744) > (1) ./postfix/postfix.log:Jul 5 12:38:55 mailhost > postfix/smtp-out-ext/smtp[25175]: C257E5F744: enabling PIX workarounds: > disable_esmtp delay_dotcrlf for mail.bmecollect.com[207.108.137.131]:25 (1) is Postfix sending mail out to that server, which postfix thinks has a PIX firewall in the way. Note the different queue ID numbers in the proceeding log entries; these seem to be different messages. > ./postfix/postfix.log:Jul 5 12:38:55 mailhost > postfix/smtp-out-ext/smtp[25175]: C257E5F744: to=<ubsgqer...@bmecollect.com>, > relay=mail.bmecollect.com[207.108.137.131]:25, delay=0.43, > delays=0/0/0.35/0.08, dsn=5.0.0, status=bounced (host > mail.bmecollect.com[207.108.137.131] said: 550 No such user > (ubsgqer...@bmecollect.com) (in reply to RCPT TO command)) And the mail sent to (1) bounces because there is no such user. > > /var/log/amavisd/amavisd.log > ./amavisd/amavisd.log:Jul 5 12:38:53 mailhost amavis[18021]: > (18021-09) ESMTP [127.0.0.1]:20000 > /var/lib/amavisd/tmp/amavis-20150706T132852-18021-2z4EiIGq: > <ubsgqer...@bmecollect.com> -> <us...@dddd1.com> Received: from edge.DDDD.com > ([127.0.0.1]) by localhost (mail.DDDD.com [127.0.0.1]) (amavisd-new, port > 20000) with ESMTP for <us...@dddd1.com>; Sun, 5 Jul 2015 12:38:53 -0700 (PDT) > (2) ./amavisd/amavisd.log:Jul 5 12:38:53 mailhost amavis[18021]: > (18021-09) Checking: akIF98V0zWO1 INBOUND-PREQUEUE [82.166.29.78] > <ubsgqer...@bmecollect.com> -> <us...@dddd1.com> Looks like amavisd processing mail from 82.166.29.78 > ./amavisd/amavisd.log:Jul 5 12:38:53 mailhost amavis[18021]: > (18021-09) akIF98V0zWO1(akIF98V0zWO1) SEND from <ubsgqer...@bmecollect.com> > -> <"postmaster\\\\"@DDDD1.com>, BODY=7BIT 250 2.0.0 from > MTA(smtp:[127.0.0.1]:11031): 250 2.0.0 Ok: queued as 7E5815F742 > ./amavisd/amavisd.log:Jul 5 12:38:54 mailhost amavis[17949]: > (17949-11) ESMTP [127.0.0.1]:20003 > /var/lib/amavisd/tmp/amavis-20150706T131759-17949-L_vbE_Of: <> -> > <ubsgqer...@bmecollect.com> SIZE=4271 BODY=8BITMIME Received: from > amavis-feed.mail.DDDD.com ([10.1.0.25]) by localhost (mail.DDDD.com > [127.0.0.1]) (amavisd-new, port 20003) with ESMTP for > <ubsgqer...@bmecollect.com>; Sun, 5 Jul 2015 12:38:54 -0700 (PDT) > (3) ./amavisd/amavisd.log:Jul 5 12:38:54 mailhost amavis[17949]: > (17949-11) Checking: 4SLt3DcErUYR OUTBOUND-FROM-SMARTHOST/MYNETS [ ] > <> -> <ubsgqer...@bmecollect.com> amavisd processing mail. the above logs don't show where the mail came from. > ./amavisd/amavisd.log:Jul 5 12:38:54 mailhost amavis[17949]: > (17949-11) 4SLt3DcErUYR FWD from <> -> <ubsgqer...@bmecollect.com>, BODY=7BIT > 250 2.0.0 from MTA(smtp:[127.0.0.1]:11032): 250 2.0.0 Ok: queued as C257E5F744 > > There's also (3) which looks like bad backscatter that looks like it's > originating on my backed -- need to find that and shut that off, too. > > Why am I seeing different IPs at (1) & (2), and which is the blockable > sender's IP? I'm guessing only one is of functional interest to me ... In > any case, I suspect I've got some config-cleaning to do. > I'm done providing free consulting for your system. Best wishes. -- Noel Jones
