Postfix 3.2.2, Centos7, amavisd, clamav
Upgrading my server, and recently migrated one of my older domains that gets
more spam. When checking my mail queue I saw a few deferred messages to
addresses that alarmed me. I had a moment of panic thinking maybe I had
configured something allowing a relay. Looked and decided I was OK there
but I want to understand what caused these deferred messages. I figure I
have something set wrong that allowed it in the first place. I *think* it's
a bounce where I would not want a bounce.
Can someone help me follow/decode this sample transaction? (apologies for
the wrapping, copied/pasted out of putty). My comments of the pieces I
think I "get" are in-line:
Sanitized:
myu...@userdomain.org - target recipient mail1.myserver - the server
pp.pp.pp.pp and ss.ss.ss.ss primary and secondary IPs of the box.
> spammer connects
Jul 26 19:05:48 mail1 postfix/postscreen[11080]: CONNECT from
[5.133.8.185]:44150 to [pp.pp.pp.pp]:25
> apparently passes postscreen, gets 450 "greylisted" due to after-220
> checks
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: NOQUEUE: reject: RCPT from
[5.133.8.185]:44150: 450 4.3.2 Service c urrently unavailable;
from=<online.casino.ga...@pearls.preal.us>, to=<myu...@userdomain.org>,
proto=ESMTP, helo=<pearls .preal.us>
> added to temp whitelist, disconnect
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS NEW
[5.133.8.185]:44150 Jul 26 19:05:55 mail1 postfix/postscreen[11080]:
DISCONNECT [5.133.8.185]:44150
> reconnects to secondary IP and is passed due to previous PASS
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: CONNECT from
[5.133.8.185]:33753 to [ss.ss.ss.ss]:25 Jul 26 19:05:55 mail1
postfix/postscreen[11080]: PASS OLD [5.133.8.185]:33753
> the rest, and why there was a reply to spammer attempt is fuzzy to me:
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: warning: hostname
accept.rootp.us does not resolve to address 5.133.8.18
5: Name or service not known
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from
unknown[5.133.8.185] Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02:
client=unknown[5.133.8.185]
Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02:
message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275
482@pearls.preal.us_jt0>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02:
from=<online.casino.ga...@pearls.preal.us>, size=6760, nrcpt=1 ( queue
active) Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) ESMTP :10024
/var/spool/amavisd/tmp/amavis-20170726T133617-05520-rH4y
Ye3A: <online.casino.ga...@pearls.preal.us> -> <myu...@userdomain.org>
SIZE=6760 BODY=8BITMIME RET=HDRS Received: from mail1.myserver.com
([127.0.0.1]) by localhost (mail1.myserver.com [127.0.0.1]) (amavisd-new,
port 10
024) with ESMTP for <myu...@userdomain.org>; Wed, 26 Jul 2017 19:05:57 -0500
(CDT) Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Checking: pqyogYJQxVad
[5.133.8.185] <online.casino.ga...@pearls.prea l.us> ->
<myu...@userdomain.org> Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) WARN:
MIME::Parser error: unexpected end of header; ; error: couldn't parse head;
error near:; ; ; error: part did not end with expected boundary; ; error:
unexpected end of parts bef ore epilogue Jul 26 19:05:57 mail1 clamd[788]:
SelfCheck: Database status OK.
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: connect from
localhost[127.0.0.1] Jul 26 19:05:57 mail1 postfix/smtpd[11093]: 67FB13910:
client=localhost[127.0.0.1] Jul 26 19:05:57 mail1 postfix/cleanup[11094]:
67FB13910: message-id=<dsnpqyogyjqx...@mail1.myserver.com>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: 67FB13910: from=<>, size=3222,
nrcpt=1 (queue active) Jul 26 19:05:57 mail1 postfix/smtpd[11093]:
disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) waLiP0ZsHz9C(pqyogYJQxVad)
SEND from <> -> <Online.Casino.Games@pearl s.preal.us>,
ENVID=am.walip0zshz9c.20170727t0005...@mail1.myserver.com BODY=7BIT 250
2.0.0 from MTA(smtp:[1
27.0.0.1]:10025): 250 2.0.0 Ok: queued as 67FB13910 Jul 26 19:05:57 mail1
amavis[5520]: (05520-17) Blocked BAD-HEADER-0 {BouncedInbound,Quarantined},
[5.133.8.185]:3375
3 [5.133.8.185] <online.casino.ga...@pearls.preal.us> ->
<myu...@userdomain.org>, Queue-ID: E58673D02, Message-ID: <5ad
4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>,
mail_id: pqyogYJQxVad, Hits: -, size: 6763,
160 ms
Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02:
to=<myu...@userdomain.org>, relay=127.0.0.1[127.0.0.1]:10024, delay =0.66,
delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok,
id=05520-17, BOUNCE) Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02:
removed Jul 26 19:05:57 mail1 postfix/smtpd[11088]: disconnect from
unknown[5.133.8.185] ehlo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
Jul 26 19:05:57 mail1 postfix/smtp[11064]: connect to
mail.preal.us[5.133.8.185]:25: Connection refused Jul 26 19:05:57 mail1
postfix/smtp[11064]: 67FB13910: to=<online.casino.ga...@pearls.preal.us>,
relay=none, delay=0.
38, delays=0.03/0/0.35/0, dsn=4.4.1, status=deferred (connect to
mail.preal.us[5.133.8.185]:25: Connection refused
Postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory =
/usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo
cont; echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
>$config_directory/$process_name.$process_id.log & sleep 5
disable_vrfy_command = yes html_directory = no inet_interfaces =
$myhostname, localhost, pp.pp.pp.pp, ss.ss.ss.ss inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient mail_owner =
postfix mail_spool_directory = /var/spool/mail mailbox_size_limit =
104857600 mailq_path = /usr/bin/mailq.postfix manpage_directory =
/usr/share/man message_size_limit = 20971520 meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = myserver.com myhostname = mail1.myserver.com mynetworks =
localhost, $mydomain, pp.pp.pp.pp/32 myorigin = $myhostname newaliases_path
= /usr/bin/newaliases.postfix postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
postscreen_bare_newline_action = enforce postscreen_bare_newline_enable =
yes postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*2
b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net*2
dnsbl.sorbs.net psbl.surriel.com*2 list.dnswl.org=127.0.[2..15].0*-2
list.dnswl.org=127.0.[2..15].1*-3 list.dnswl.org=127.0.[2..15].[2..3]*-4
wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1 postscreen_greet_action = enforce
postscreen_non_smtp_command_action = drop postscreen_non_smtp_command_enable
= yes postscreen_pipelining_action = enforce postscreen_pipelining_enable =
yes postscreen_whitelist_interfaces = !ss.ss.ss.ss static:all
queue_directory = /var/spool/postfix readme_directory =
/usr/share/doc/postfix3-3.2.2/README_FILES
relay_domains = anothercompany.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix3-3.2.2/samples
sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop
shlib_directory = /usr/lib/postfix smtp_tls_mandatory_protocols =
!SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_banner = $myhostname
ESMTP $mail_name smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes smtpd_recipient_limit = 2700
smtpd_recipient_restrictions = reject_invalid_hostname permit_dnswl_client
list.dnswl.org=127.0.[2..14].[2..3], reject_non_fqdn_hostname
reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_sender_domain reject_unknown_recipient_domain
permit_mynetworks reject_unknown_reverse_client_hostname, warn_if_reject
reject_non_fqdn_helo_hostname, warn_if_reject reject_unknown_helo_hostname,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre
check_recipient_access hash:/etc/postfix/recipient_checks check_helo_access
hash:/etc/postfix/helo_checks check_sender_access
hash:/etc/postfix/sender_checks check_client_access
hash:/etc/postfix/client_checks check_client_access
pcre:/etc/postfix/client_checks.pcre check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns-plus.pcre check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns.pcre reject_rbl_client
zen.spamhaus.org=127.0.0.[2..255], reject_rhsbl_client
dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_helo
dbl.spamhaus.org=127.0.1.[2..99], permit smtpd_relay_restrictions =
permit_mynetworks, permit_sasl_authenticated, check_client_access
hash:/etc/postfix/client_checks reject_unauth_destination
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path =
private/auth smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot smtpd_tls_cert_file =
/etc/letsencrypt/live/mail1.myserver.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail1.myserver.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_protocols =
!SSLv2,!SSLv3 smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes
soft_bounce = no tls_preempt_cipherlist = yes tls_random_source =
dev:/dev/urandom transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550 virtual_alias_domains =
hash:/etc/postfix/virtual_domains virtual_alias_maps =
hash:/etc/postfix/virtual_users
