NEED HELP with my qmail server

[marcosacramento]

My server keeps accepting mail for sending from invalid users from my domains.
I've enabled smtp-auth but nothing happens. Also made my whitelist 127.0.0.1/32. The same result.
I also have a message like this in my queue to root very often:
/bin/bash: line 1: /usr/bin/qmail_check: No such file or directory

I don't know what to do.
My service provider limits my queue to 1000 a day and i'm getting there by 8:00AM.
Then it doesn't deliver more mail.

Also tryed abuse.net relay test and it says that it appears to be open relay on last test.

Please help me.

Thanks in advance,

Marco Sacramento

 

[marcosacramento]

No one knows what the problem is?
Please answer.
I'm desperate.

Thanks.

 

[cmaxwell]

Can you give an example? Your question is a bit unclear.

 

[marcosacramento]

I get a lot of messages from invalid users from my domains ([email protected]) to several addresses.
I gess that some of those addresses don't exist also and i get bounced, bus as the user doesn't exist, my server bounces it again.
That's what i think is happening.

This is the report i get on abuse.net.
(I switched the ip and domain names)

<<< 220 mail.myserver.com ESMTP
>>> HELO www.abuse.net
<<< 250 mail.myserver.com


Relay test 1
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<[email protected]>
<<< 250 ok
>>> RCPT TO:<[email protected]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

Relay test 2
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest>
<<< 250 ok
>>> RCPT TO:<[email protected]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

Relay test 3
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<>
<<< 250 ok
>>> RCPT TO:<[email protected]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

Relay test 4
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<[email protected]>
<<< 250 ok
>>> RCPT TO:<[email protected]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

Relay test 5
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@[myserverip]>
<<< 250 ok
>>> RCPT TO:<[email protected]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

Relay test 6
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<[email protected]>
<<< 250 ok
>>> RCPT TO:<myemail%[email protected]>
<<< 550 sorry, no mailbox here by that name. (#5.7.17)

Relay test 7
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<[email protected]>
<<< 250 ok
>>> RCPT TO:<myemail%onanotherserver.pt@[myserverip]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

Relay test 8
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<[email protected]>
<<< 250 ok
>>> RCPT TO:<"[email protected]">
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

Relay test 9
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<[email protected]>
<<< 250 ok
>>> RCPT TO:<"myemail%onanotherserver.pt">
<<< 250 ok
>>> DATA
<<< 354 go ahead
>>> (message body)
<<< 250 ok 1157110794 qp 26944

Regards

 

[marcosacramento]

By the way, most of the messages are for aol users.

regards

 

[wagnerch]

Make sure each domain is setup to "reject", not "bounce" the mail for invalid users. You will have to drill into each domain and adjust the mail settings. For example, the output from domain_pref.sh should list the setting "Mail to nonexistant user" as reject.

# /usr/local/psa/bin/domain_pref.sh -i abc.com
Domain 'abc.com' limits:
Disk space: Unlimited
Maximum amount of traffic: Unlimited
Maximum number of mailboxes: Unlimited
Set the mailbox quota: Unlimited
Maximum number of mail redirects: Unlimited
Maximum number of mail groups: Unlimited
Maximum number of mail autoresponders: Unlimited
Maximum number of web users: Unlimited
Maximum number of databases: Unlimited
Maximum number of mailing lists: Unlimited
Maximum number of Java applications: Unlimited
Maximum number of subdomains: Unlimited
Validity period: Unlimited
Mail to nonexistent user: 'reject'
WWW: true
WebMail: true
Allow the web users scripting: false
Retain traffic statistics: false
Domain status: Domain is active.
SUCCESS: Gathering information for 'abc.com' complete.

 

[marcosacramento]

Thank you for your reply, but i have already verified that.
All domains are set to reject.

Regards

 

[wagnerch]

How about posting those examples then? (Not the abuse.net relay test!!!)

 

[marcosacramento]

what would you consider examples?
maillog?

Here it goes a sample:

Sep 1 04:09:50 netregistos qmail: 1157080190.053155 new msg 33898624
Sep 1 04:09:50 netregistos qmail: 1157080190.053364 info msg 33898624: bytes 10654 from <anonymous@www.netregistos.com> qp 6466 uid 48
Sep 1 04:09:50 netregistos qmail: 1157080190.055325 end msg 33898624
Sep 1 04:09:50 netregistos qmail: 1157080190.055726 starting delivery 1042: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.055781 status: local 0/10 remote 15/20
Sep 1 04:09:50 netregistos qmail: 1157080190.059409 starting delivery 1043: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.060420 status: local 0/10 remote 16/20
Sep 1 04:09:50 netregistos qmail: 1157080190.061981 starting delivery 1044: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.064545 status: local 0/10 remote 17/20
Sep 1 04:09:50 netregistos qmail: 1157080190.065648 starting delivery 1045: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.067312 status: local 0/10 remote 18/20
Sep 1 04:09:50 netregistos qmail: 1157080190.068448 starting delivery 1046: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.070049 status: local 0/10 remote 19/20
Sep 1 04:09:50 netregistos qmail: 1157080190.071788 starting delivery 1047: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.073800 status: local 0/10 remote 20/20
Sep 1 04:09:50 netregistos qmail: 1157080190.106512 delivery 1028: failure: 64.202.189.86_failed_after_I_sent_the_message./Remote_host_said:_554_Message_refused./
Sep 1 04:09:50 netregistos qmail: 1157080190.106801 status: local 0/10 remote 19/20
Sep 1 04:09:50 netregistos qmail: 1157080190.106887 starting delivery 1048: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.106937 status: local 0/10 remote 20/20
Sep 1 04:09:50 netregistos qmail: 1157080190.132337 delivery 1030: failure: 64.202.189.86_failed_after_I_sent_the_message./Remote_host_said:_554_Message_refused./
Sep 1 04:09:50 netregistos qmail: 1157080190.132546 status: local 0/10 remote 19/20
Sep 1 04:09:50 netregistos qmail: 1157080190.132636 starting delivery 1049: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.132703 status: local 0/10 remote 20/20
Sep 1 04:09:50 netregistos qmail: 1157080190.139591 delivery 1039: failure: 64.202.189.86_failed_after_I_sent_the_message./Remote_host_said:_554_Message_refused./
Sep 1 04:09:50 netregistos qmail: 1157080190.139932 status: local 0/10 remote 19/20
Sep 1 04:09:50 netregistos qmail: 1157080190.140048 starting delivery 1050: msg 33898620 to remote [email protected]
Sep 1 04:09:50 netregistos qmail: 1157080190.140092 status: local 0/10 remote 20/20
Sep 1 04:09:50 netregistos qmail: 1157080190.144758 delivery 1031: failure: 64.202.189.86_failed_after_I_sent_the_message./Remote_host_said:_554_Message_refused./

Don't know if that's what you asked for.
Strange thing UID 48 is apache...

Regards.

 

[wagnerch]

grep the log file for "33898620" and post that. I would bet that your messages are being submitted locally.

also post the output of "ps -fu apache".

 

[marcosacramento]

The output of "ps -fu apache" is:

UID PID PPID C STIME TTY TIME CMD
apache 4416 20480 0 12:08 ? 00:00:16 /usr/sbin/httpd
apache 32643 20480 0 13:35 ? 00:00:16 /usr/sbin/httpd
apache 14897 20480 0 14:57 ? 00:00:11 /usr/sbin/httpd
apache 17153 20480 0 14:57 ? 00:00:12 /usr/sbin/httpd
apache 11745 20480 0 21:21 ? 00:00:00 /usr/sbin/httpd


The grep of the log file is attached because it's too big to post.
(you can get it in http://www.portadigital.com/33898620.log)

Regards.

 

[wagnerch]

Your messages are definately being submitted localling:

Sep 1 04:09:50 netregistos qmail: 1157080190.013012 info msg 33898620: bytes 23128 from <anonymous@www.netregistos.com> qp 6016 uid 48

Messages from remote typically have a uid of qmaild (2020 on my box), uid 48 is probably apache.

Is netregistos.com one of your domains? If it is then I would suggest running the following command and see if you can correlate it to a specific web form:

grep ":04:09:50 " /home/httpd/vhosts/netregistos.com/statistics/logs/access_log

 

[marcosacramento]

I think i found the problem.
I ran:
cat /home/httpd/vhosts/*/statistics/logs/access_log | grep "04:09:"
210.220.216.34 - - [01/Sep/2006:04:09:48 +0100] "POST /formacao/pre_inscricao.php HTTP/1.1" 302 - "http://www.oneofmydomains.pt/" "-"

What do you think?

Regards.

 

[wagnerch]

It looks like that POST got a 302 error (a redirect), I would atleast take a look at it and see what is going on there. Perhaps there is another entry a few seconds later?

The first recipient on the e-mail is "[email protected]" (which happens to be the same directory as the PHP page), which makes it suspicious.

Take a look at .htaccess files, etc.

 

[marcosacramento]

i think that the first recipient is that one, because that is a php script to send a message to the email.

It´s "forms to go 2.5" script.