Question Mail Delivery System and Postfix SMTP server

[jackoackely]

Hello.

I am getting on daily basis emails like next one. Notice what mail server is turned off in Plesk and we don't use it. How can I stop this madness?

 

[Bitpalast]

I've never seen this coming from a Plesk system. Most likely it is send by another system, probably the one behind the "double-bounce@..." part that is blurred in the image.

 

[jackoackely]

I've never seen this coming from a Plesk system. Most likely it is send by another system, probably the one behind the "double-bounce@..." part that is blurred in the image.

That's Plesk's main domain. I can just filter all the mails, but it's really annoying.

 

[Bitpalast]

There is no "double-bounce" address on Plesk installations. And "EHLO scanner.sslsonar.org" - is that your server?

Have you checked /var/log/maillog (var/log/mail.log on some systems) what the entry is there at the time when the mail is processed?

 

[jackoackely]

There is no "double-bounce" address on Plesk installations. And "EHLO scanner.sslsonar.org" - is that your server?

Have you checked /var/log/maillog (var/log/mail.log on some systems) what the entry is there at the time when the mail is processed?

Here is the log file Jun 26 03:45:04 li1486-98 dovecot: pop3-login: Aborted login (no auth attempts i - Pastebin.com (replaced email names).

It seems like some vulnerability scanners are trying to do something. I am not sure, what to do, since mail server is turned off already.

 

[Bitpalast]

Disable the vulnerability scanner? If it is coming from 127.0.0.1 it means that it is running on your own machine.

Further, if your system does absolutely not use any email functions, you could simply stop Postfix and Dovecot (in that case you will not receive any notifications from the Plesk software either). Or you could put a Wildcard into the Blacklist and you could whitelist all local addresses.

 

[jackoackely]

Disable the vulnerability scanner? If it is coming from 127.0.0.1 it means that it is running on your own machine.

Further, if your system does absolutely not use any email functions, you could simply stop Postfix and Dovecot (in that case you will not receive any notifications from the Plesk software either). Or you could put a Wildcard into the Blacklist and you could whitelist all local addresses.

I am not using any vulnerability scanners. I need to get watchdog notifcations + plesk server update, so turning postfix and dovecot is bad idea.

 

[Bitpalast]

So "the mail server is turned off" in your initial post is incorrect. It is turned on.

So what is going on? There is a number of things.

1) A local software is constantly trying to connect to your mail server, but it does not send login data. For example

Jun 26 03:50:04 li1486-98 dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<9xexmvSo5LJ/AAAB>

Jun 26 03:50:04 li1486-98 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<XlKxmvSorot/AAAB>

Jun 26 03:50:04 li1486-98 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<FH2xmvSosIx/AAAB>

Jun 26 03:55:04 li1486-98 dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<fu+TrPSoAKR/AAAB>

Jun 26 03:55:04 li1486-98 dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<fhmUrPSoHrN/AAAB>

Jun 26 03:55:04 li1486-98 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<Y1GUrPSo6It/AAAB>
Jun 26 03:55:04 li1486-98 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<LnqUrPSo6ox/AAAB>

means that in the middle of the night, some software on localhost (on your machine) is trying to login to your mail service. But it does not transmit login data. You will need to find and stop that software.

2) The other authentication failures from outside IPs are normal hacking attempts that hit all servers. Some are coming in at a high rate, so that rate limiting is triggered. But that is very normal. All servers are constantly attacked. Fail2Ban (if turned on) will take care of them.

3) There is an issue with your SSL configuration for the mail service. You should turn that on.

Jun 26 07:57:04 li1486-98 postfix/smtpd[23318]: warning: error opening chain file: /etc/postfix/postfix_default.pem: No such file or directory

This still does not explain the messages you are receiving. That seems to be coming from a totally different system. It could also be a backscatter issue (someone is sending mail in, the server tries to respond with an "undeliverable" message, fails, so it informs the administrator about it). I'd just send these into the some auto-delete function of mailbox assistant.