Spammer attack on Postfix

Similar Messages

• I am getting Phishing and Spammer Attacks in Mail Over Open Networks.

  How does this happen and how can I stop it?!  Thanks...

  Thanks. I have anti-spam set up on my account and have been changing my password frequently.  But, they keep getting in.  Is there something stronger to use for these attacks?   I've been hit a couple of times with spam/phishing pages that look like "change account info" pages that lock me out of mail.
  Does Apple provide an app? Thanks...

• I write one email, Mail Activity shows 2 are being sent out

  OK, where is a copy of my email (2 of 2) being sent?
  Has General "Tap" Hayden of the NASA hacked my Mac?
  [email protected]

  Hello X:
  Welcome to Apple discussions.
  As a suggestion, I would not post my E-mail address in any forum. You are opening yourself up for a spammer attack.
  Oddly enough, I have a similar "doubling" of the count in my inbox. The system indicates 30 - I actually get 15. I have ignored it as I have not actually received double messages. In my case, it could be because I use a different mail source (AOL) and have Apple's mail application point to the AOL mail server.
  Barry

• Is there a fix for Firefox being auto-redirected to known attack site from every new Google search?

  Every time I do a Google search, the first link in that search clicked will direct me to a known attack site at http://64.111.212.229/ (URL followed by lines of gibberish code). It will occur only on the first link of any new search attempted.
  My AV (Symantec Corporate 10.1.7.7000 version 12/8/2010 rev. 2) does not pick up any malware.
  The problem does not occur in Google Chrome.
  Does anyone have a similar problem and/or solution?
  My Firefox: 3.6.13, OS: Windows 2003 Server Standard SP2.

  @sergej0363: Well, nothing to stop you with your solution. I agree that some anit-spyware can be a bigger nuisance. Having said that, the problem you described may or may not look like a spyware problem though. I have found Spybot S&D to be quite serious and efficient, trusted by many.
  It is not true that Mozilla is targeted specifically, although some browser-specific attacks may indeed occur, most often with IE. Assuming that your problem is indeed malware/spyware related it may be a matter of time until another browser is affected. And by no means Mozilla doesn't care. It actually has features like "block reported attack sites" or "web forgeries" when turned on. And Mozilla's OSS development model is usually considered to produce better security. But all this cannot always prevent e. g. drive-by infections or accidentally installing a spammer add-on.
  As always, the classical triple precaution anti-virus, firewall, anti-spyware should help, besides keeping browser and OS software up to date and general.

• Forcing postfix to NOT make MX lookups

  I have a the mail sever running well (via server admin) for sending email to external email addresses, however for internal emails it is not returning an error.
  On investigation with ethereal I see that postfix sends a standard MX query to the DNS for the internal domain. However none of the ip addresses returned are SMTP servers, they are all DNS or Domain servers. Therefore when postfix tries to connect on port 25 to these it fails with connection refused errors. I know what the correct address of the SMTP server is. Is there a way of forcing postfix to send mails to my internal domain to a known IP address?
  I have tried adding lines to /etc/postfix/transport as follows: My internal domain is hpa.org.uk and for example the SMTP server's address is 123.456.789.1. I therefore added the following line to /etc/postfix/transport
  hpa.org.uk smtp:[123.456.789.1]
  According to postfix documentation Postfix will NOT make an mx lookup if the ip address or servername is enclosed in square brackets. However changing these lines and restarting postfix still makes postfix make MX requests. Is there a setting from the GUI (in a .plist file?) that is overiding the setting in /etc/postfix/transport that according to postfix documentation and responses from the postfix mailing group should work.

  Thanks for the info. I spent a good amount of time on their site as well but nothing. These are the only things I could find.
  http://help.sbcglobal.net/article.php?item=6291
  http://help.sbcglobal.net/article.php?item=6153
  http://help.sbcglobal.net/article.php?item=287
  http://help.sbcglobal.net/article.php?item=9469
  http://help.sbcglobal.net/article.php?item=9484
  http://help.sbcglobal.net/article.php?item=9558
  http://help.sbcglobal.net/article.php?item=4640
  So if I use my bulk mailer thru sbc I shouldn't be getting flagged as a spammer as long as my people opt in correct?

• Server slowdown after spam attack...

  One of our users set their password to "1234" on Sunday.  We were dumped on with 3.6 million messages before we discovered it and shut the account down on Tuesday.  We have cleared the postfix queue of all the offending messages, but the server is still having an issue.
  When you reboot the machine, everything seems okay for about a couple of minutes, then it starts slowing down to the point where you can't even login to a terminal session.  Email services work during this time, but connections start timing out in a few minutes and your back to a largely unresponsive machine.  The activity viewer doesn't show any one high CPU process.
  I'm wondering if there might be some corruption in the cyrus stuff.  Running on a Dual 1.8Ghz G5, 4Gig RAM, pair of 400Gig HD drives.
  Not sure where to go from here.  Suggestions?

  Well, here is the solution, as unbelievable as it sounds.
  I narrowed the problem down to when the SA was set to receive incoming mail.  If I left the mail server up and running, and unchecked the "allow incoming mail", the server was stable.  Only when incoming mail was turned on would things get goofy.
  That pretty much narrows it down to the smtpd process in postfix.
  I copied the smtpd executable from another working server (same version) and replaced it on the problem server.  Problem solved.  The smtpd must have gotten corrupted during the spam attack.  It was located:
  /usr/libexec/postfix
  Server has been running smoothly for 12 hours now after 4 days of up and down every 3 minutes.

• Need to get rid of email alias due to spam attack

  I have recently been slammed by a tidal wave of spam to one of my .mac email aliases. I was planning to delete the alias to get rid of this continual attack but I see that Apple has stopped the ability to do so since June 6!!!
  This spammer changes addresses every day so marking things as junk and creating rules does not begin to handle the problem. What can I do?!

  Hello Winster69
  All you should do is sign out of that Apple ID everywhere and then sign in with the new Apple ID. Also keep in mind that if you have apps that were associated with the old Apple ID, it will pop up to enter in the password for that old Apple ID to update them. You would need to remove any apps that is associated with it. Check out the article below to get you sorted out.
  iOS 7: If you're asked for the password to your previous Apple ID when signing out of iCloud
  http://support.apple.com/kb/ts5223
  Apple ID: What to do after you change your Apple ID
  http://support.apple.com/kb/HT5796
  Regards,
  -Norm G.

• Can't Stop Intense SPAM Attack

  Hello,
  As of the past day or two, I've started encountering so major SPAM attacks to one of our multiple servers. We have a mail server on the domain, but this one isn't it (as its only used for QTSS streaming and some web hosting).
  Basically, I first noticed it when I got two seperate emails from postmasters saying to fix the problem, and then noticed "smtp" showing up on "top" continuously and draining the CPU. So far, I've tried turning the web server off and on, turning the mail server off and on, keeping the mail server on with SMTP with closed relay, and nothing has worked. Eventually, I had to set up a firewall to block port 25 incoming and outgoing which has seemed to solve the problem (but there are continuing entries related to MX records in the system.log every minute).
  I noticed that before this started, there were tons of 404's lookin for formmail.cgi and some php mail client, and then since there's been no odd web traffic at all. I've also checked /tmp and /var/tmp, and nothing out of the ordinary either. Otherwise, this is what i've been seeing in system.log:
  With firewall off:
  Dec 31 03:35:35 xserve2 lmtpunix[15146]: warning: unable to post message for user: colin, mail is not enabled for this user
  With firewall off and making the colin account:
  Dec 31 03:36:21 xserve2 postfix/smtpd[13569]: warning: 218.248.240.72: hostname nda-svr-mta-out-01.bsnl.net.in verification failed: Host not found
  Dec 31 03:36:22 xserve2 postfix/qmgr[13546]: warning: premature end-of-input on private/smtp socket while reading input attribute name
  Dec 31 03:36:22 xserve2 postfix/qmgr[13546]: warning: private/smtp socket: malformed response
  Dec 31 03:36:22 xserve2 postfix/qmgr[13546]: warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description
  With firewall on:
  Dec 31 14:06:51 xserve2 postfix/smtp[22534]: warning: valid_hostname: empty hostname
  Dec 31 14:06:51 xserve2 postfix/smtp[22534]: warning: malformed domain name in resource data of MX record for altavista.net:
  Dec 31 14:07:03 xserve2 postfix/smtp[22232]: warning: valid_hostname: empty hostname
  Dec 31 14:07:03 xserve2 postfix/smtp[22232]: warning: malformed domain name in resource data of MX record for ayhoo.com:
  If anyone could help, I'd most MOST grateful, as we do use the php mail command on one of our big sites hosted on that server and obviously that whole system is down right now...
  ----- EDIT -----
  It seems as though the smtp is still coming up even with port 25 firewall on.
  The firewall looks like its blocking a TON of packets, but the smtp is still utilizing over 80% of my CPU.

  Hey MrHoffman,
  Again, thanks for all the help with this... its very appreciated over here. It's a major university website as well, so last thing we want is to be blacklisted.
  I had a look through ipfw.log just now and can see the incoming blocking from late last night through today... some sample lines:
  Dec 30 23:38:38 xserve2 ipfw: 65534 Deny TCP 194.106.141.85:20782 204.194.30.246:25 in via en1
  Dec 30 23:38:38 xserve2 ipfw: 65534 Deny TCP 62.41.48.171:42706 204.194.30.246:25 in via en1
  Dec 30 23:38:38 xserve2 ipfw: 65534 Deny TCP 65.54.246.103:7820 204.194.30.246:25 in via en1
  Dec 30 23:38:38 xserve2 ipfw: 65534 Deny TCP 85.31.177.235:55054 204.194.30.246:25 in via en1
  Dec 30 23:38:38 xserve2 ipfw: 65534 Deny TCP 194.109.127.153:3302 204.194.30.246:25 in via en1
  Dec 30 23:38:38 xserve2 ipfw: 65534 Deny TCP 129.15.3.86:34962 204.194.30.246:25 in via en1
  Dec 30 23:38:38 xserve2 ipfw: 65534 Deny TCP 217.174.202.185:15703 204.194.30.246:25 in via en1
  Now in addition to that, last night when incoming 25 was still open and then I locked it, all the ipfw denials were to port 25. Now... today, there are more ports as well during the big spikes of ipfw problems today.. here's a set:
  25, 135 -139, 445, 1026, 6050, 33438, 49423-4
  Needless to say, looking at all of the entires, is that the IPs are all over the map (and definitely not on our 204.194.30.x or 128.2.103.x) so it does indeed look like it's coming from the outside. The good news is that right now, all smtp processes and outgoing problems have stopped completely, and the only thing happening is this once in a while spike of incoming packets like the logs above. It starts out of nowhere, keeps going for around 15-45 min, and then just stops, but at least nothing's coming in. For the time being just in case, i've locked off port 25 outgoing as well, since I did conclude that when this started happening, I discovered that the all the outgoing spam was coming out of postfix, given the millions (yes millions) of emails in que in /var/spool/postfix. But as of now looking at the network stats using cacti and some other methods, we've found that the past few days, our outgoing bandwidth was between 200Kb/s to 2Mb/s sustained during the ordeal, but it's now down to under 20Kb/s patches, mainly from me doing admining.
  As of right now, SMTP incoming is unchecked and authentication required is set in the mail pane in server admin, and the "accept SMTP relays from only..." checkbox is checked with only 127.0.0.1/32 listed, but this doesn't seem to help at all the second I open up incoming port 25... so I would think that the relay is closed, but it just doesn't seem to help... unless I'm missing something?
  With that said, I'd totally be for doing a basic firewall!
  I use one here at home (a netgear FVS114), although I have cable internet here, and wasn't sure if I would be able to just use the same kind of router-esque firewall like that at school and just run the LAN network port into the WAN and connect the LAN ports to our server room switch?
  Meanwhile, I did get computing services involved mid afternoon, and someone's actually there today and the ball seems to be rolling. I have them cc'd on the board post so hopefully they'll gain some insight from all the great help on here so far.
  Thanks again!

• Mail.log postfix/smtp warning

  Hi!
  Since a few days I get thousands of warnings of this kind in mail.log of my server 10.5.8:
  Jun 26 18:22:03 xserver postfix/smtpd[39255]: warning: 91.93.147.18: hostname host-91-93-147-18.teletektelekom.com verification failed: nodename nor servname provided, or not known
  Jun 26 18:22:13 xserver postfix/smtpd[39257]: warning: 187.4.192.19: hostname 187-4-192-19.fnsce704.e.brasiltelecom.net.br verification failed: nodename nor servname provided, or not known
  Jun 26 18:23:01 xserver postfix/smtpd[39255]: warning: 88.247.132.249: hostname dsl88-247-34041.ttnet.net.tr verification failed: nodename nor servname provided, or not known
  Jun 26 18:23:06 xserver postfix/smtpd[39257]: warning: 216.227.244.233: hostname 233.244.227.216.ictxwavemedia.net verification failed: nodename nor servname provided, or not known
  Jun 26 18:24:19 xserver postfix/smtpd[39255]: warning: 85.105.145.11: hostname dsl.static.85-105-37131.ttnet.net.tr verification failed: nodename nor servname provided, or not known
  Jun 26 18:24:42 xserver postfix/smtpd[39257]: warning: 187.58.65.10: hostname 187.58.65.10.static.gvt.net.br verification failed: nodename nor servname provided, or not known
  Jun 26 18:24:53 xserver postfix/smtpd[39020]: warning: 95.111.46.12: hostname ip-95-111-46-12.home.megalan.bg verification failed: nodename nor servname provided, or not known
  Jun 26 18:25:39 xserver postfix/smtpd[39257]: warning: 88.250.166.251: hostname dsl88-250-42747.ttnet.net.tr verification failed: nodename nor servname provided, or not known
  Jun 26 18:26:22 xserver postfix/smtpd[39257]: warning: 212.102.9.115: hostname shabnet9-115.shabakah.net verification failed: nodename nor servname provided, or not known
  Jun 26 18:26:38 xserver postfix/smtpd[39255]: warning: 122.160.122.156: hostname ABTS-North-Static-156.122.160.122.airtelbroadband.in verification failed: nodename nor servname provided, or not known
  Jun 26 18:26:47 xserver postfix/smtpd[39020]: warning: 91.205.155.250: hostname BB-155-250.018.net.il verification failed: nodename nor servname provided, or not known
  Jun 26 18:27:29 xserver postfix/smtpd[39257]: warning: 91.93.147.18: hostname host-91-93-147-18.teletektelekom.com verification failed: nodename nor servname provided, or not known
  I don't know what is the meaning?? SPAM-Attack?
  What can I do to stop it?
  It is also impossible to start ServerAdmins maintenance-tasks...
  Thank you for your assistance,
  Peter.

  Hi again!
  I tried to do a backup of my mailsystem with "mailbfr -b".
  The backup started fine and gave me a lost of messages like this and after almost an hour mailbfr quit with an error message:
  file has vanished: "/private/var/spool/postfix/active/F3C8D1B2F878"
  file has vanished: "/private/var/spool/postfix/active/F3CE11994C58"
  file has vanished: "/private/var/spool/postfix/active/F3CE91CA9F23"
  file has vanished: "/private/var/spool/postfix/active/F3D0219C94B3"
  file has vanished: "/private/var/spool/postfix/active/F3DA11CAE5FA"
  file has vanished: "/private/var/spool/postfix/active/F3DAF1BFE84D"
  file has vanished: "/private/var/spool/postfix/active/F3E101AAEBE0"
  file has vanished: "/private/var/spool/postfix/active/F3E2218FB617"
  file has vanished: "/private/var/spool/postfix/active/F3E3A18D70FF"
  file has vanished: "/private/var/spool/postfix/defer/0/045C01EE7ABE"
  file has vanished: "/private/var/spool/postfix/defer/0/0478E18D9F63"
  file has vanished: "/private/var/spool/postfix/defer/0/04B1F1EC6134"
  file has vanished: "/private/var/spool/postfix/defer/0/04B8D1E905AA"
  file has vanished: "/private/var/spool/postfix/defer/0/04EA31E9AEFD"
  file has vanished: "/private/var/spool/postfix/defer/0/050B11EF1208"
  file has vanished: "/private/var/spool/postfix/defer/0/051071E50E17"
  file has vanished: "/private/var/spool/postfix/defer/0/0513A199DDE7"
  file has vanished: "/private/var/spool/postfix/defer/0/0525E1E9AE61"
  file has vanished: "/private/var/spool/postfix/deferred/A/A0A971E9694B"
  file has vanished: "/private/var/spool/postfix/deferred/A/ACACB1EA9334"
  file has vanished: "/private/var/spool/postfix/flush/xserverhlg_hh_schulede"
  file has vanished: "/private/var/spool/postfix/incoming/D9B1B1F8E251"
  rsync warning: some files vanished before they could be transferred (code 24) at /SourceCache/rsync/rsync-35.2/rsync/main.c(992) (sender=2.6.9)
  speed 9600 baud;
  lflags: echoe echoke echoctl pendin
  iflags: iutf8
  oflags: -oxtabs
  cflags: cs8 -parenb
  mailbfr was aborted. The process was NOT completed successfully.
  Starting Mail Services
  Cyrus IMAP successfully started.
  I still can't access the ServerAdmin maintenance section of mail.
  Until now the mail-service seems to work fine but every few seconds I get messages in the mail.log like posted in my first posting.
  Should I give mailbfr a try to repair the maildatabase?
  Greetings from Germany,
  Peter.

• How to block postfix connection to a specific ip address

  There are a handful of sites that continuously send SPAM to my server and seem to avoid getting listed on the blacklist servers.  I'm trying to set up POSTFIX to refuse connections from these sever's IP addresses.  Here is how I set up smtpd_client_restrictions in main.cf:
  smtpd_client_restrictions =
            check_client_access hash:/Library/Server/Mail/Config/postfix/client_checks
            permit_mynetworks
            permit_sasl_authenticated
            reject_rbl_client bl.spamcop.net
            reject_rbl_client zen.spamhaus.org
            permit
  The content of /Library/Server/Mail/Config/postfix/client_checks:
  94.242.161.0/24                    REJECT Your IP range is spammer
  141.255.161.0/24                    REJECT Your IP range is spammer
  192.95.54.0/24                    REJECT Your IP range is spammer
  198.50.229.0/24                    REJECT Your IP range is spammer
  198.50.171.0/24                    REJECT Your IP range is spammer
  For some reason POSTFIX isn't blocking SMTP connections from these IP addresses.
  Is there some other command that I need to specify for smtpd_client_restrictions to get processed?
  Is the syntax of my client check incorrect?

  Figured out what the problem was in getting PostFix to use the check_client_access file for SMTP connections to reject.  Seems that PostFIx doesn't understand CIDR notation in the file so these entries are just ignored and no entry is made in the SMTP Log which makes it even harder to figure out what is going on.  Changing the contents of the file from:
  94.242.161.0/24                    REJECT Your IP range is spammer
  141.255.161.0/24                    REJECT Your IP range is spammer
  192.95.54.0/24                    REJECT Your IP range is spammer
  198.50.229.0/24                    REJECT Your IP range is spammer
  198.50.171.0/24                    REJECT Your IP range is spammer
  to only listing the leading octets of the IP address works.  Now the REJECT message appears in the SMTP log and the connection from these IP address ranges are dropped on connection and the irritating spam that is missed by the blacklist servers in gone.  Nice!!! 
  # Restricts which clients this system accepts SMTP connections from.
  94.242            REJECT Your IP range is spammer
  141.255         REJECT Your IP range is spammer
  192.95.54      REJECT Your IP range is spammer
  198.50.229   REJECT Your IP range is spammer
  23.89.158     REJECT Your IP range is spammer
  216.55.165   REJECT Your IP range is spammer

• Postfix/qmgr warning regarding amavis configurations

  Got these during a heavy spam bombardment:
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: mail for [127.0.0.1]:10024 is using up 4001 of 4001 active queue entries
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: you may need to reduce smtp-amavis connect and helo timeouts
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: so that Postfix quickly skips unavailable hosts
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: you may need to increase the main.cf minimalbackofftime and maximalbackofftime
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: so that Postfix wastes less time on undeliverable mail
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: you may need to increase the master.cf smtp-amavis process limit
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: please avoid flushing the whole queue when you have
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: lots of deferred mail, that is bad for performance
  Sep 11 03:52:15 flatrack postfix/qmgr[43726]: warning: to turn off these warnings specify: qmgrclog_warntime = 0
  Sep 11 03:54:27 flatrack imap[7175]: login: flatrack.capps.com [65.197.152.201] spam plaintext user logged in
  Sep 11 03:55:03 flatrack imap[7228]: login: flatrack.capps.com [65.197.152.201] junkmail CRAM-MD5 User logged in
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: mail for [127.0.0.1]:10024 is using up 4179 of 4179 active queue entries
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: you may need to reduce smtp-amavis connect and helo timeouts
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: so that Postfix quickly skips unavailable hosts
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: you may need to increase the main.cf minimalbackofftime and maximalbackofftime
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: so that Postfix wastes less time on undeliverable mail
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: you may need to increase the master.cf smtp-amavis process limit
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: please avoid flushing the whole queue when you have
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: lots of deferred mail, that is bad for performance
  Sep 11 03:57:15 flatrack postfix/qmgr[43726]: warning: to turn off these warnings specify: qmgrclog_warntime = 0
  sh-3.2# postconf -n
  bouncequeuelifetime = 6h
  brokensasl_authclients = yes
  command_directory = /usr/sbin
  config_directory = /etc/postfix
  content_filter = smtp-amavis:[127.0.0.1]:10024
  daemon_directory = /usr/libexec/postfix
  debugpeerlevel = 2
  delaywarningtime = 6h
  disablevrfycommand = yes
  enableserveroptions = yes
  html_directory = no
  inet_interfaces = localhost
  localrecipientmaps = proxy:unix:passwd.byname $alias_maps
  luser_relay =
  mail_owner = _postfix
  mailboxsizelimit = 0
  mailbox_transport = cyrus
  mailq_path = /usr/bin/mailq
  manpage_directory = /usr/share/man
  mapsrbldomains =
  masquerade_domains = capps.com
  maximalqueuelifetime = 2d
  messagesizelimit = 104857600
  mydestination = $myhostname,localhost.$mydomain,localhost
  mydomain = capps.com
  mydomain_fallback = localhost
  myhostname = flatrack.capps.com
  mynetworks = 127.0.0.0/8,192.168.10.0/24,65.197.152.0/24
  newaliases_path = /usr/bin/newaliases
  queue_directory = /private/var/spool/postfix
  readme_directory = /usr/share/doc/postfix
  relayhost = reefer.capps.com
  sample_directory = /usr/share/doc/postfix/examples
  sendmail_path = /usr/sbin/sendmail
  setgid_group = _postdrop
  smtpdclientrestrictions = permit_mynetworks, permitsaslauthenticated, rejectrblclient zen.spamhaus.org, permit
  smtpddatarestrictions = permit_mynetworks, rejectunauthpipelining, permit
  smtpdhelorequired = yes
  smtpdhelorestrictions = permitsaslauthenticated, permit_mynetworks, checkheloaccess hash:/etc/postfix/helo_access, rejectnon_fqdnhostname, rejectinvalidhostname, permit
  smtpdpw_server_securityoptions = cram-md5,login,plain
  smtpdrecipientrestrictions = rejectinvalidhostname, rejectnon_fqdnsender, rejectnon_fqdnrecipient, permitsaslauthenticated, permit_mynetworks, rejectunauthdestination, rejectunlistedrecipient, rejectrblclient zen.spamhaus.org, permit
  smtpdsasl_authenable = yes
  smtpdsenderrestrictions = permitsasl_authenticated,permit_mynetworks,reject_non_fqdnsender, permit
  smtpduse_pwserver = yes
  unknownlocal_recipient_rejectcode = 550
  virtualmailboxdomains =
  virtual_transport = virtual
  As these variables are not present in main.cf, they are using the default values:
  maximalbackofftime (default: 4000s)
  The maximal time between attempts to deliver a deferred message.
  This parameter should be set to a value greater than or equal to $minimalbackofftime. See also $queuerundelay.
  Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).
  minimalbackofftime (default: 300s)
  The minimal time between attempts to deliver a deferred message; prior to Postfix 2.4 the default value was 1000s.
  This parameter also limits the time an unreachable destination is kept in the short-term, in-memory, destination status cache.
  This parameter should be set greater than or equal to $queuerundelay. See also $maximalbackofftime.
  Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).
  Should I do what the messages suggest, and what might be good values to use for these variables.
  Thanks,
  Flatrack

  Looking at your configuration, it strikes me as odd that postfix and amavisd-new could not keep up with each other. Of course I do not know how bad the spam attack was, but judging from the log snippet (there are sometimes minutes between entries) I doubt it was to heavy.
  It would think that amavisd hung for some reason and caused this. In which case increasing timings will not help, but you should find out why amavisd crashed (check amavis.log). For time being, I wouldn't make any changes. If it should happen again, you can take it from there.
  Another thing to check: From your configuration and DNS MX records, it seems like outgoing AND incoming mail go/come through a relay host. Have a look at that hosts configuration as well. Maybe it was relaying a backed up queue to aggressively.
  HTH,
  Alex

• SPAM Attack

  Hi,
  One of my mail servers is attacked by spammer. If I execute, mailq command, I can see that the sender of spam messages are invalid accounts from one of my local domain and the recipients are yahoo, hotmail accounts.
  I have the FrontLine SPAM defense from osx.topicdesk implemented:
  http://osx.topicdesk.com/content/view/38/41/
  I think that the spam is sending from external IPs trough a valid mail account. Can I know the name of that account to change the password? I saw the mailaccess.log and mail.log and system.log but I can see repated smtp connections ...
  Thanks for ur help.
  Bye

  Yes, most likely a compromised user account is being abused.
  Assuming your logging level is at least "Information", try and issue:
  grep -i "sasl_username=" /var/log/mail.log
  This should show you the username being repeatedly used.
  HTH,
  Alex

• Postfix configuration puzzle

  There is something about my Postfix configuration that has been puzzling me on and off for years. It works just fine within my LAN, but when I travel I cannot access my mail (I use imap) unless I first ssh to my home server and add the remote IP address to /etc/hosts.allow. Like this:
  ALL: remoteaddress.com : allow.
  Then everything is fine.
  I know I must have something misconfigured to make this awkward (and insecure) step necessary. But I can't figure out what. I do have port 143 open on my router. My server is running Postfix 2.0.10 on System 10.3.9. I use Apple Mail as my client with basic password authentication. I would very much appreciate your suggestions.
  George Johnson

  I can't explain your imap issue but I'm gonna get on my ssh soapbox and also address email: First, I strongly recommend you continue the ssh tunnel approach. If you have a configured an ssh server at home, and if you haven't already incorporated these aditional features into it, why not further configure it to only allow public-key exchange and disable username/password authentication, force protocol 2, and disable root login, and maybe even run it over a non-standard port, too? There are numerous posts in this forum and the networking&web forum on how to do that. If you can't find 'em on your own, post back, people here will be glad to help direct you to numerous resources. Then you don't need to have hosts.allow and hosts.deny files to handle what I am assuming is an itinerant client computer -- if a remote client doesn't have a dsa key pair, the private key on his machine and the public key having been securely transferred onto your machine (e.g., via USB flash drive, sneakerNet style), it is going to be a big-time challenge for hackers -- they'll give up after seeing you are not vulnerable to username/password attacks, and go after bigger fish instead.
  Then make an "alias" command in your .profile something like
  alias phonehome='ssh -l george -L 30143:localhost:143 -L 30025:localhost:25 johnson.com'
  and in Mail.app on your itinerant computer, change the imap and smtp servers to localhost and ports 30143 and 30025, respectively. You may need to change localhost to 127.0.0.1 in the above Mail configuration parameters and ssh command -- I had problems specifying localhost in early versions of Tiger so Panther may be the same way.
  Now you can close all but your ssh port (and smtp port so bonafide smtp servers and spam relays can send mail to your server) in the router; there is now no clear text being sent because all imap and smtp traffic, including mail account usernames and passwords, from the clients is securely tunneled through an encrypted ssh channel. All you do is launch Terminal, type phonehome, and once in, launch Mail and take care of your email.
  Your ssh mechanism is more secure than running clear text over port 143 and 25 anyways, regardless of whether you are using hosts.allow and hosts.deny. But if you can't restrict by IP address (e.g., you travel on business a lot all over the place), public-key authentication with username/password authentication disabled is, in my opinion, way more secure than username/password in that situation.
  I am doing this with a small personal-use 5-account mailserver, and additionally I am tunneling port 548 AFP/AFS traffic (e.g., use -L 30548:localhost:548 and mount localhost:30548) and VNC port 5900 traffic (use -L 5901:localhost:5900 and vnc to localhost:5901) through this "locked down" (I hope!) ssh setup -- it works great! The other thing I have done with regards to mail is I got a subscription to mailhop relay (dyndns.com) in order to let them spam-assassinate and virus-scan any mail destined inbound to my server; they are my MX record; that way, most of that crap doesn't even waste my home bandwidth trying to be delivered to my home mailserver.

• How can we remove the "Attack Site" warning from our webpage?

  We host several domains with Dreamhost. (1st mistake)
  Our account was hacked and is being resolved.
  We have taken our site down.
  When searching our url, our prospective customers will see an Explorer message which reads a Dreamhost message stating this website has been "voluntarily parked". Site coming soon.
  In Firefox, the Attack Site message in red is still showing. Can you please remove the message as our website is not available for public viewing?
  Thank you.
  RJ

  I get a status 200 with a message from the site that it is under construction. If I am using the correct URL (www.usana2013.co.za) maybe you need to clear your Firefox cache.
  The database of attack & phishing sites is not directly maintained by Firefox.
  See also
  *http://www.mozilla.org/en-US/firefox/phishing-protection/firefox2/
  *http://www.mozilla.org/en-US/firefox/features/#advancedsecurity
  *http://en.wikipedia.org/wiki/Google_Safe_Browsing
  ** http://www.google.com/tools/firefox/safebrowsing/
  **http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.usana2013.co.za

• Postfix relay=none, ... status=deferred (Host or domain name not found...

  Hi,
  I actually posted this question 2 weeks ago but under the wrong topic. So, first of all wanted to apologise for double-posting... but since no one replied, I thought I'd try again under the right topic.
  I've been trying to solve this all day today (that was Feb 26th). I used to be able to send emails but for some reason it does not work anymore. At first I thought it was a problem with php (I use entropy pack php 5.2.6) but after searching the topic, I think it is a problem with my network. BTW OS is 10.5.5 and Postfix version 2.4.3
  First of all, after computer restart, I don't think postfix starts automatically
  Running 'sudo postfix start' gives me:
  postfix/postfix-script: starting the Postfix mail system
  Looking at '/var/log/mail.log' I find:
  Feb 27 12:51:04 AMs-MBP postfix/qmgr331: AA70A7A7C77: from=<[email protected]>, size=842, nrcpt=1 (queue active)
  Feb 27 12:52:19 AMs-MBP postfix/smtp456: AA70A7A7C77: to=<[email protected]>, relay=none, delay=3437, delays=3362/0.02/75/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=email.com type=MX: Host not found, try again)
  Running 'sudo postfix check' does not give me any errors
  Checking my '/etc/resolv.conf' it has nameserver 192.168.1.1
  Running 'ifconfig | grep netmask | grep -v 127.0.0.1 | awk {'print $2'}L' gives:
  192.168.1.5
  Checking http://switch.richard5.net/2006/08/19/fatal-open-lock-file-pidmasterpid/ and running 'launchctl list' gives me a long list but no item matches org.postfix.master
  Running 'ps aux|grep postfix' gives
  AM 546 0.3 0.0 599820 468 s000 S+ 1:41pm 0:00.00 grep postfix
  _postfix 331 0.0 0.0 599816 824 ?? S 11:56am 0:00.04 qmgr -l -t fifo -u
  root 329 0.0 0.0 600784 752 ?? Ss 11:56am 0:00.11 /usr/libexec/postfix/master
  _postfix 519 0.0 0.0 599768 752 ?? S 1:36pm 0:00.01 pickup -l -t fifo -u
  Running 'postconf inet_interfaces' at first gave me
  inet_interfaces = localhost
  which I changed to All in '/etc/postfix/main.cf'
  I looked at http://www.postfix-book.com/debugging.html
  Running 'telnet localhost 25' gives me
  Trying ::1...
  telnet: connect to address ::1: Connection refused
  Trying fe80::1...
  telnet: connect to address fe80::1: Connection refused
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  220 AMs-MBP.local ESMTP Postfix
  quit
  221 2.0.0 Bye
  Connection closed by foreign host.
  But running 'telnet 10.1.2.233 25' gives me
  Trying 10.1.2.233...
  telnet: connect to address 10.1.2.233: Operation timed out
  telnet: Unable to connect to remote host
  Running 'ping 134.169.9.107' takes a long time. After a while I stop it and get:
  PING 134.169.9.107 (134.169.9.107): 56 data bytes
  ^C
  o
  + 134.169.9.107 ping statistics ---
  28 packets transmitted, 0 packets received, 100% packet loss
  I have not idea what the problem is and/or how to fix it. I know the messages get to the postfix daemon but for some reason they do not continue on their way.
  Please, does anyone have an idea of how to fix this?
  TIA,
  Elle

  Dynamic IP addresses with DynDNS Updater (or equivalent) makes it pretty darned reliable, particularly if you buy DynDNS' Mailhop Forward service, which prevents the likes of roadrunner.com and aol.com from blocking mail coming from your server just because it lives in dynamicIP-land. Way cheaper than paying your ISP extra for a static IPA, too, and totally acceptable for low-volume, residential-based servers for personal not-for-profit use.
  Regarding reliable delivery to a dynIPA server, you are only at risk of non-receipt for perhaps a few minutes immediately following when your ISP rotates your WAN IPA, until DynDNS Updater (or equivalent) updates the DynDNS (or equivalent) servers with your new WAN IPA. But that's really not a problem because I think all, well, okay, most, smtp servers will queue for a redelivery attempt if the initial delivery attempt just happens to occur at that time.
  I wouldn't suggest this practice for high-volume enterprise-class servers or for people trying to run a bootleg mail server business for profit (besides, the ISP would shut it down as an abuse of terms of service, anyways), but for low-volume, residential-based servers for personal use and enjoyment, which I suspect is the case for the O.P., I can't say that I find anything unreliable about my dynamic IP-based mail server.