Facebook
Twitter
D4NY
Regular Pleskian
OS: CentOS 6.8
PLESK: 12.5
Today i received a call of a user that couldn't send mail using mail client on smtp. Checking at the services via Plesk i saw that postfix was stopped and no way to restart it from the panel. Via SSH running "service postfix restart" the service restarted correctly and the green button came back also in Plesk. But after few minutes again it was stopped. The same after rebooting the whole server. Looking at the process runnin it seems to be overloaded.
tail -f /usr/local/psa/var/log/maillog | grep sasl_username
to see who's trying to authenticate and send mails. Other times hacked mailbox sent tons of spam away but this time nothing strange... just normal users sending single mail
tail -f /usr/local/psa/var/log/maillog
to see what's happening in real time and i found hundreds of connection from different IPs to a mailbox that was full of thousands mail in chinese language. I deleted the mailbox and the postfix crash seems to be solved but on the maillog we have continue connection to that mailbox even if no more alive.
I set up fail2ban, totally deactivate the domain and blacklisted the qq.com domain but no way to stop connections all from different ips.
Please check the attached file, it's the result of the command:
tail -f /usr/local/psa/var/log/maillog | grep MYDELETEDMAILBOX
Can't understand relationships between postfix and incoming mail. What's happening?
PLESK: 12.5
Today i received a call of a user that couldn't send mail using mail client on smtp. Checking at the services via Plesk i saw that postfix was stopped and no way to restart it from the panel. Via SSH running "service postfix restart" the service restarted correctly and the green button came back also in Plesk. But after few minutes again it was stopped. The same after rebooting the whole server. Looking at the process runnin it seems to be overloaded.
tail -f /usr/local/psa/var/log/maillog | grep sasl_username
to see who's trying to authenticate and send mails. Other times hacked mailbox sent tons of spam away but this time nothing strange... just normal users sending single mail
tail -f /usr/local/psa/var/log/maillog
to see what's happening in real time and i found hundreds of connection from different IPs to a mailbox that was full of thousands mail in chinese language. I deleted the mailbox and the postfix crash seems to be solved but on the maillog we have continue connection to that mailbox even if no more alive.
I set up fail2ban, totally deactivate the domain and blacklisted the qq.com domain but no way to stop connections all from different ips.
Please check the attached file, it's the result of the command:
tail -f /usr/local/psa/var/log/maillog | grep MYDELETEDMAILBOX
Can't understand relationships between postfix and incoming mail. What's happening?
