I run a web/mail server out of my bedroom, and last night around 9PM I heard it grinding away, so I figured it was logwatch or something. Then it was still grinding, 2 hours later, so I did some poking around and realized that it was postfix.I noticed alot of entries like this ( in /var/log/maillog ):

Mar 9 11:36:45 crankhouse postfix/smtp[8387]: 46C59407B6: to=<ageave411@aol.com>, relay=mailin-01.mx.aol.com[64.12.138.57], delay=60324, status=deferred
(host mailin-01.mx.aol.com[64.12.138.57] said: 421-: (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html 421 SERVICE NOT AVAILABLE)
Mar 9 11:36:45 crankhouse postfix/smtpd[8383]: reject: RCPT from unknown[69.45.32.81]: 554 <alian2go@aol.com>: Recipient address rejected: Relay access
denied; from=<frijap@austarnet.com.au> to=<alian2go@aol.com>


So I watched the log for a while with tail -f, and noticed a certain IP address in there ( over 4500 times in 14 hours ) . It's an IP address from my ISP, so I am thinking that someone has a worm that is attempting to spam through me.

What does "status=deferred" mean, and should I be worried about this?

-goon12

P.S. It's not a real power house of a box either ( P3 450, RedHat 7.3 ).

Looks like you are denying relay (which is a very good thing!) so the only thing this guy is harming it you

Now setup an iptables rule to block him completely and you should be ok ;)

Ok, I took care of that IP ( so far so good ), my other question is this:

What does this entry mean?

Mar 9 17:17:41 crankhouse postfix/smtp[9603]: AC4484082A: to=<ahgirl14@aol.com>, relay=mailin-01.mx.aol.com[205.188.159.57], delay=80541, status=sent (250 OK)


I was thinking that one of my roommates' boxes were infected with something, causing it to spam out messages. So I ran ettercap/netwatch/sniffit and watched for the connections but didn't see anything. But that message, doesn't really say who is sending the message. I take it the to=<ahgirl14@aol.com> was the RCPT TO:, but I dont see where the MAIL FROM:<> is...

I had an Exchange server in my room a couple years ago, all of a sudden at 3am the server would just go crazy.. the HD's would swap like crazy...

turns out I had an open relay and got a large range of my IPS's ip addy's blacklisted.. it costed many users not being able to email popular domains..

the head of security called me and asked WTF i was doing..


ah.. life lessons.

-Adam

Happened to me too. :D
I don't think this is a relay issue, and I submitted my IP to ORDB.org this morning. I can see where relay access is denied, but I really don't understand the message from my above post.

Thanks,
goon12

Originally posted by goon12
Ok, I took care of that IP ( so far so good ), my other question is this:

What does this entry mean?

Mar 9 17:17:41 crankhouse postfix/smtp[9603]: AC4484082A: to=<ahgirl14@aol.com>, relay=mailin-01.mx.aol.com[205.188.159.57], delay=80541, status=sent (250 OK)


I was thinking that one of my roommates' boxes were infected with something, causing it to spam out messages. So I ran ettercap/netwatch/sniffit and watched for the connections but didn't see anything. But that message, doesn't really say who is sending the message. I take it the to=<ahgirl14@aol.com> was the RCPT TO:, but I dont see where the MAIL FROM:<> is...

Looks like you are relying some mail... I would look this over and restrict as much as you can... http://www.postfix.org/SMTPD_ACCESS_README.html#relay

I'm not a mail guru... but.. if your the only one sending mail, couldn't you allow "outgoing" 25 and restrict "incoming" 25 ? then just send mail from your internall network? I haven't used IPtables in a while, and when I did i just forwarded ports with it, so i'm not sure how it would be done...

and again, not sure if this is a solution, I do beleive mail clients and such would need to come in on 25 to send mail... just like if you were to send mail through telnet e.g. "telnet ip.add.dre.ss 25"


-Adam

btw, while posting this, I was not able to telnet into post 25 on your box... is SMTP down? or are you blocking incoming 25?

Hrm.. I was able to telnet in to it

[me@list: me$ telnet 66.189.35.129 25
Trying 66.189.35.129...
Connected to 66.189.35.129.
Escape character is '^]'.
220 crankhouse.com ESMTP Postfix
QUIT
221 Bye
Connection closed by foreign host.
[me@list: me]$


I tried using the host name ( crankhouse.com ) as well, and it worked. Postfix appears to be running too. I might have screwed something up in the main.cf, I will take a look at it in a bit.

Thanks again,
goon12