1 (edited by aniyan.rajan6 2013-05-08 07:46:56)

Topic: Connection

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
==========================

Hello,

I get this type of connections everyday in /var/log/mail.log. It looks like this is a connection from my domain itself. Is this normal ? Please help me to understand why this happens. Thanks.

 Apr 24 07:21:10 mydomain postfix/anvil[4327]: statistics: max connection rate 1/60s for (smtp:216.80.120.215) at Apr 24 07:17:46
Apr 24 07:21:10 mydomain postfix/anvil[4327]: statistics: max connection count 1 for (smtp:216.80.120.215) at Apr 24 07:17:46
Apr 24 07:21:10 mydomain postfix/anvil[4327]: statistics: max cache size 1 at Apr 24 07:17:46
Apr 24 07:35:17 mydomain postfix/pickup[4184]: 4AC1D100B7B: uid=0 from=<root>
Apr 24 07:35:17 mydomain postfix/cleanup[4743]: 4AC1D100B7B: message-id=<20130424073517.4AC1D100B7B@mydomain.org>
Apr 24 07:35:17 mydomain postfix/qmgr[3817]: 4AC1D100B7B: from=<root@mydomain.org>, size=9265, nrcpt=1 (queue active)
Apr 24 07:35:18 mydomain postfix/smtpd[4759]: connect from mydomain.org[127.0.0.1]
Apr 24 07:35:18 mydomain postfix/smtpd[4759]: EC1DC100B7F: client=mydomain.org[127.0.0.1]
Apr 24 07:35:18 mydomain postfix/cleanup[4743]: EC1DC100B7F: message-id=<20130424073517.4AC1D100B7B@mydomain.org>
Apr 24 07:35:18 mydomain postfix/qmgr[3817]: EC1DC100B7F: from=<root@mydomain.org>, size=10167, nrcpt=1 (queue active)
Apr 24 07:35:18 mydomain postfix/smtpd[4759]: disconnect from mydomain.org[127.0.0.1]
Apr 24 07:35:19 mydomain amavis[1410]: (01410-02) Passed CLEAN, MYUSERS <root@mydomain.org> -> <root@mydomain.org>, Message-ID: <20130424073517.4AC1D100B7B@mydomain.org>, mail_id: ajKNpHNbVKWB, Hits: -0.001, size: 9262, queued_as: EC1DC100B7F, 1624 ms
Apr 24 07:35:19 mydomain postfix/smtp[4752]: 4AC1D100B7B: to=<root@mydomain.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.2, delays=6.5/0.01/0.03/1.7, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=01410-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EC1DC100B7F)
Apr 24 07:35:19 mydomain postfix/qmgr[3817]: 4AC1D100B7B: removed
Apr 24 07:35:19 mydomain postfix/pipe[4763]: EC1DC100B7F: to=<root@mydomain.org>, relay=dovecot, delay=0.1, delays=0.01/0.03/0/0.06, dsn=5.1.1, status=bounced (user unknown)
Apr 24 07:35:19 mydomain postfix/cleanup[4743]: 1003B100B7B: message-id=<20130424073519.1003B100B7B@mydomain.org>
Apr 24 07:35:19 mydomain postfix/qmgr[3817]: 1003B100B7B: from=<>, size=11954, nrcpt=1 (queue active)
Apr 24 07:35:19 mydomain postfix/bounce[4765]: EC1DC100B7F: sender non-delivery notification: 1003B100B7B
Apr 24 07:35:19 mydomain postfix/qmgr[3817]: EC1DC100B7F: removed
Apr 24 07:35:19 mydomain postfix/pipe[4763]: 1003B100B7B: to=<root@mydomain.org>, relay=dovecot, delay=0.03, delays=0.01/0/0/0.01, dsn=5.1.1, status=bounced (user unknown)
Apr 24 07:35:19 mydomain postfix/qmgr[3817]: 1003B100B7B: removed

2

Re: Connection

Did you check the email it sent out? You can add an alias in /etc/postfix/aliases, forward all emails sent to root user to an valid email address. For example:

# File /etc/postfix/aliases
root: user@domain.ltd

After you modified /etc/postfix/aliases, please execute command "postalias /etc/postfix/aliases" to update its db file which used by Postfix.

3

Re: Connection

ZhangHuangbin wrote:

Did you check the email it sent out? You can add an alias in /etc/postfix/aliases, forward all emails sent to root user to an valid email address. For example:

# File /etc/postfix/aliases
root: user@domain.ltd

There is already an entry in the aliases file:
root: postmaster@mydomain.org

But I checked the postmaster email account and there are no emails in the inbox. I didn't execute the postalias command, as the entry was already there in the aliases file.

Please suggest.

4

Re: Connection

*) Do you have both server hostname and virtual mail domain set to "mydomain.org"?
*) Please show us output of command "postconf -n" here to help troubleshoot.

5 (edited by aniyan.rajan6 2013-05-12 00:34:33)

Re: Connection

ZhangHuangbin wrote:

*) Do you have both server hostname and virtual mail domain set to "mydomain.org"?

Yes they were set to mydomain.org initially. It was a mistake. But I have already fixed this by changing the following line in /etc/postfix/main.cf, as per your advise. ( Removed $myhostname ).
mydestination = localhost, localhost.localdomain, localhost.$myhostname

ZhangHuangbin wrote:

*) Please show us output of command "postconf -n" here to help troubleshoot.

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = localhost, localhost.localdomain, localhost.$myhostname
mydomain = mydomain.org
myhostname = mydomain.org
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = mydomain.org
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, check_recipient_access hash:/etc/postfix/recipient_access, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

6

Re: Connection

Seems not that good to just remove server hostname in "mydestination=". Please try this:

*) Change your server hostname to one different from your mail domain name. e.g. mx.mydomain.org.
*) Then add your server domain name, mx.mydomain.org, in Postfix "mydestination=", and update "myhostname=mx.mydomain.org".
*) Restart Postfix and try again.

7 (edited by aniyan.rajan6 2013-05-14 18:41:46)

Re: Connection

ZhangHuangbin wrote:

Seems not that good to just remove server hostname in "mydestination=". Please try this:

*) Change your server hostname to one different from your mail domain name. e.g. mx.mydomain.org.
*) Then add your server domain name, mx.mydomain.org, in Postfix "mydestination=", and update "myhostname=mx.mydomain.org".
*) Restart Postfix and try again.

Hello Zhang,

I Just want to clarify, before I do something.

* I am using the MX Record as 'mydomain.org.' in the DNS setting.
* Before iredmail installation, I have set the hostname of my VPS to mydomain.org
* During iredmail installation, I have set the "First Virtual Domain Name" to mydomain.org, by mistake.
* As per your advise, I have already removed the 'myhostname' from the mydestination line in /etc/postfix/main.cf last week.


Now, Do you want me to change the hostname of the VPS to something different from the "First Virtual Domain Name" (for example abc.org) and then update the same value in 'myhostname' in /etc/postfix/main.cf ? Is that what you mean in your above reply ?

Please clarify.
Thanks.

8

Re: Connection

Zhang,

Could you please reply ?

Thanks.

9

Re: Connection

aniyan.rajan6 wrote:

Now, Do you want me to change the hostname of the VPS to something different from the "First Virtual Domain Name" (for example abc.org) and then update the same value in 'myhostname' in /etc/postfix/main.cf ? Is that what you mean in your above reply ?

Yes.

Let's say you change the server hostname to "mx.mydomain.org", the result in Postfix main.cf should be:

myhostname = mx.mydomain.org
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname

10 (edited by aniyan.rajan6 2013-05-18 16:47:07)

Re: Connection

ZhangHuangbin wrote:

Let's say you change the server hostname to "mx.mydomain.org", the result in Postfix main.cf should be:

myhostname = mx.mydomain.org
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname

Zhang,

I did that yesterday. As per DigitalOcean's advise, I have changed the DropletName, the Reverse DNS (PTR Record) and the VPS hostname (/etc/hostname) to mx.mydomain.org. They suggested that these values should be the same. Then I updated the myhostname in /etc/postfix/main.cf to mx.mydomain.org and updated mydestination too.

But the unwanted connection is still coming. Please see the report below. I have noticed that there is only one such connection per day. But it is coming everyday.

May 18 07:21:23 mx postfix/anvil[14254]: statistics: max connection rate 1/60s for (smtp:216.80.120.215) at May 18 07:18:00
May 18 07:21:23 mx postfix/anvil[14254]: statistics: max connection count 1 for (smtp:216.80.120.215) at May 18 07:18:00
May 18 07:21:23 mx postfix/anvil[14254]: statistics: max cache size 1 at May 18 07:18:00
May 18 07:35:09 mx postfix/pickup[13655]: D8F52100B52: uid=0 from=<root>
May 18 07:35:09 mx postfix/cleanup[14667]: D8F52100B52: message-id=<20130518073509.D8F52100B52@mx.mydomain.org>
May 18 07:35:09 mx postfix/qmgr[1834]: D8F52100B52: from=<root@mydomain.org>, size=8848, nrcpt=1 (queue active)
May 18 07:35:19 mx postfix/smtpd[14684]: connect from mydomain.org[127.0.0.1]
May 18 07:35:19 mx postfix/smtpd[14684]: 68B66100BDD: client=mydomain.org[127.0.0.1]
May 18 07:35:19 mx postfix/cleanup[14667]: 68B66100BDD: message-id=<20130518073509.D8F52100B52@mx.mydomain.org>
May 18 07:35:19 mx postfix/qmgr[1834]: 68B66100BDD: from=<root@mydomain.org>, size=9756, nrcpt=1 (queue active)
May 18 07:35:19 mx postfix/smtpd[14684]: disconnect from mydomain.org[127.0.0.1]
May 18 07:35:19 mx amavis[1585]: (01585-01) Passed CLEAN, MYUSERS <root@mydomain.org> -> <root@mydomain.org>, Message-ID: <20130518073509.D8F52100B52@mx.mydomain.org>, mail_id: 8OK2-fYxnbP4, Hits: -0.001, size: 8845, queued_as: 68B66100BDD, 9508 ms
May 18 07:35:19 mx postfix/smtp[14678]: D8F52100B52: to=<root@mydomain.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=4.6/0.01/0.02/9.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=01585-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 68B66100BDD)
May 18 07:35:19 mx postfix/qmgr[1834]: D8F52100B52: removed
May 18 07:35:19 mx postfix/pipe[14688]: 68B66100BDD: to=<root@mydomain.org>, relay=dovecot, delay=0.1, delays=0.01/0.02/0/0.07, dsn=5.1.1, status=bounced (user unknown)
May 18 07:35:19 mx postfix/cleanup[14667]: 8056F100BE0: message-id=<20130518073519.8056F100BE0@mx.mydomain.org>
May 18 07:35:19 mx postfix/qmgr[1834]: 8056F100BE0: from=<>, size=11570, nrcpt=1 (queue active)
May 18 07:35:19 mx postfix/bounce[14690]: 68B66100BDD: sender non-delivery notification: 8056F100BE0
May 18 07:35:19 mx postfix/qmgr[1834]: 68B66100BDD: removed
May 18 07:35:19 mx postfix/pipe[14688]: 8056F100BE0: to=<root@mydomain.org>, relay=dovecot, delay=0.01, delays=0.01/0/0/0.01, dsn=5.1.1, status=bounced (user unknown)
May 18 07:35:19 mx postfix/qmgr[1834]: 8056F100BE0: removed

11

Re: Connection

*) Create a new mail user "root@mydomain.org" with iRedAdmin-Pro, then check the mail it received to figure out why your server generates this email everyday.

*) Please show us output of command "postconf -n" and file /etc/postfix/aliases here to help troubleshoot. Of course you should replace sensitive info before pasting.

*) If you modified /etc/postfix/aliases, please execute command "postalias /etc/postfix/aliases" to update db file used by Postfix.

12 (edited by aniyan.rajan6 2013-05-19 19:02:25)

Re: Connection

ZhangHuangbin wrote:

*) Create a new mail user "root@mydomain.org" with iRedAdmin-Pro, then check the mail it received to figure out why your server generates this email everyday.

I got 2 emails in root@mydomain.org. They are quoted below.

Email1:

Subject: Anacron job 'cron.daily' on mx.mydomain.org
----------------------------------------------------
/etc/cron.daily/logrotate:
apache2: apr_sockaddr_info_get() failed for mx.mydomain.org
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Stopping iredapd ...
Starting iredapd ...

Email2:

Subject: Logwatch for mx.mydomain.org (Linux)
----------------------------------------------


 ################### Logwatch 7.3.6 (05/19/07) #################### 
        Processing Initiated: Sun May 19 07:35:05 2013
        Date Range Processed: yesterday
                              ( 2013-May-18 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: mail / text
        Logfiles for Host: mx.mydomain.org
  ################################################################## 
 
 --------------------- Amavisd-new Begin ------------------------ 

 2 messages checked and passed.
 
 
 **Unmatched Entries**
    No decoder for       .tnef: 1 Time(s)
    Found decoder for    .tar  at /usr/bin/pax: 1 Time(s)
    Found decoder for    .7z   at /usr/bin/7zr: 1 Time(s)
    Internal decoder for .zip : 1 Time(s)
    starting.  /usr/sbin/amavisd-new at mydomain.org amavisd-new-2.6.4 (20090625), Unicode aware: 1 Time(s)
    Found decoder for    .rar  at /usr/bin/unrar-free: 1 Time(s)
    Internal decoder for .tnef: 1 Time(s)
    Found decoder for    .deb  at /usr/bin/ar: 1 Time(s)
    NOTICE: reconnecting in response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away at (eval 115) line 166, <GEN35> line 71.: 1 Time(s)
    Creating db in /var/lib/amavis/db/; BerkeleyDB 0.42, libdb 4.8: 1 Time(s)
    Found decoder for    .zoo  at /usr/bin/zoo: 1 Time(s)
    Found decoder for    .arc  at /usr/bin/nomarch: 1 Time(s)
    AM.PDP-in proto code loaded: 1 Time(s)
    Using primary internal av scanner code for ClamAV-clamd: 1 Time(s)
    Found decoder for    .cpio at /usr/bin/pax: 1 Time(s)
    Local-out proto code loaded: 1 Time(s)
    Found decoder for    .doc  at /usr/bin/ripole: 1 Time(s)
    Found decoder for    .rpm  at /usr/bin/rpm2cpio: 1 Time(s)
    SQL::Quarantine      NOT loaded: 1 Time(s)
    Found decoder for    .Z    at /bin/uncompress: 1 Time(s)
    Found decoder for    .cab  at /usr/bin/cabextract: 1 Time(s)
    Internal decoder for .gz  : 1 Time(s)
    No decoder for       .lha : 1 Time(s)
    Found decoder for    .bz2  at /bin/bzip2 -d: 1 Time(s)
    Found decoder for    .exe  at /usr/bin/unrar-free; /usr/bin/arj: 1 Time(s)
    No decoder for       .F   : 1 Time(s)
    Found decoder for    .arj  at /usr/bin/arj: 1 Time(s)
    Internal decoder for .mail: 1 Time(s)
    Found decoder for    .lzo  at /usr/bin/lzop -d: 1 Time(s)
 
 ---------------------- Amavisd-new End ------------------------- 

 
 --------------------- clam-update Begin ------------------------ 

 
 Last ClamAV update process started at Sat May 18 23:03:31 2013
 
 Last Status:
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.97.6 Recommended version: 0.97.8
    DON'T PANIC! Read http://www.clamav.net/support/faq
    main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
    daily.cld is up to date (version: 17236, sigs: 1273163, f-level: 63, builder: guitar)
    bytecode.cvd is up to date (version: 214, sigs: 41, f-level: 63, builder: neo)
    Received signal: wake up
 
 ---------------------- clam-update End ------------------------- 

 
 --------------------- Cron Begin ------------------------ 

 
 Inode errors in crontab files of users:
    amavis : 1 Time(s)
    root : 1 Time(s)
 
 ---------------------- Cron End ------------------------- 

 
 --------------------- httpd Begin ------------------------ 

 
 Requests with error response codes
    404 Not Found
       /.well-known/autoconfig/mail/config-v1.1.x ... 40mydomain.org: 1 Time(s)
       /favicon.ico: 8 Time(s)
       /images/drm.jpg: 1 Time(s)
       /images/gnu.png: 1 Time(s)
       /images/windows7sins.png: 1 Time(s)
 
 ---------------------- httpd End ------------------------- 

 
 --------------------- Kernel Begin ------------------------ 

 
 WARNING:  Kernel Errors Present
    [    1.227085] Error: Driver 'pcspkr' ...:  1 Time(s)
 
 ---------------------- Kernel End ------------------------- 

 
 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       unknown (218.85.135.29): 3383 Time(s)
       unknown (177.43.172.92): 99 Time(s)
       root (58.211.18.206): 11 Time(s)
       root (177.43.172.92): 7 Time(s)
       root (laubervilliers-153-52-11-22.w217-128.abo.wanadoo.fr): 7 Time(s)
       root (218.85.135.29): 4 Time(s)
       unknown (61.19.53.82): 4 Time(s)
       mysql (177.43.172.92): 2 Time(s)
       unknown (58.211.18.206): 2 Time(s)
       root (61.19.53.82): 1 Time(s)
       www-data (177.43.172.92): 1 Time(s)
    Invalid Users:
       Unknown Account: 3488 Time(s)
 
 su:
    Sessions Opened:
       root -> amavis: 1 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 

 
 --------------------- Postfix Begin ------------------------ 

   20.268K  Bytes accepted                              20,754
    9.236K  Bytes sent via SMTP                          9,458
    1.504K  Bytes delivered                              1,540
 ========   ==================================================
 
        4   Accepted                                    11.11%
       32   Rejected                                    88.89%
 --------   --------------------------------------------------
       36   Total                                      100.00%
 ========   ==================================================
 
        2   5xx Reject HELO/EHLO                         6.25%
       30   5xx Reject recipient address                93.75%
 --------   --------------------------------------------------
       32   Total 5xx Rejects                          100.00%
 ========   ==================================================
 
       47   Connections             
        2   Connections lost (inbound) 
       47   Disconnections          
        5   Removed from queue      
        1   Delivered               
        2   Sent via SMTP           
        2   Bounced (remote)        
        1   Notifications sent      
 
        1   Hostname verification errors 
        3   SMTP protocol violations 
        1   SASL authenticated messages 
 
 
 ---------------------- Postfix End ------------------------- 

 
 --------------------- Connections (secure-log) Begin ------------------------ 

 
 **Unmatched Entries**
    CRON: pam_env(cron:session): Unable to open env file: /etc/default/locale: No such file or directory: 251 Time(s)
    su: pam_env(su:session): Unable to open env file: /etc/default/locale: No such file or directory: 1 Time(s)
 
 ---------------------- Connections (secure-log) End ------------------------- 

 
 --------------------- SSHD Begin ------------------------ 

 
 SSHD Killed: 1 Time(s)
 
 SSHD Started: 2 Time(s)
 
 Failed logins from:
    58.211.18.206: 11 times
    61.19.53.82: 1 time
    177.43.172.92 (rcaxanga92.static.host.gvt.net.br): 10 times
    217.128.106.22 (LAubervilliers-153-52-11-22.w217-128.abo.wanadoo.fr): 7 times
    218.85.135.29: 4 times
 
 Illegal users from:
    58.211.18.206: 2 times
    61.19.53.82: 4 times
    177.43.172.92 (rcaxanga92.static.host.gvt.net.br): 99 times
    218.85.135.29: 3383 times
 
 Users logging in through sshd:
    root:
       117.186.184.140: 4 times
       117.297.232.193: 3 times
       117.196.193.92: 1 time
       117.199.144.193: 1 time
 
 
 Received disconnect:
    11: disconnected by user : 6 Time(s)
 
 **Unmatched Entries**
 reverse mapping checking getaddrinfo for rcaxanga92.static.host.gvt.net.br [177.43.172.92] failed - POSSIBLE BREAK-IN ATTEMPT! : 109 time(s)
 Exiting on signal 15 : 1 time(s)
 pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory : 27 time(s)
 
 ---------------------- SSHD End ------------------------- 

 
 --------------------- Disk Space Begin ------------------------ 

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda               10G  1.3G   16G  18% /
 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End ######################### 
ZhangHuangbin wrote:

*) Please show us output of command "postconf -n" and file /etc/postfix/aliases here to help troubleshoot. Of course you should replace sensitive info before pasting.

# postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = mydomain.org
myhostname = mx.mydomain.org
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = mydomain.org
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost = 
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, check_recipient_access hash:/etc/postfix/recipient_access, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = 
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

# cat /etc/postfix/aliases

# /etc/aliases
mailer-daemon: postmaster
postmaster: root
#nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
#clamav: root
www-data: root
nobody: root
vmail: root
root: postmaster@mydomain.org
policyd: root
clamav: root
amavis: root
virusalert: root
ZhangHuangbin wrote:

*) If you modified /etc/postfix/aliases, please execute command "postalias /etc/postfix/aliases" to update db file used by Postfix.

No, I never modified /etc/postfix/aliases.

13

Re: Connection

*) Mail #1 is generated by cron jobs. You should update parameter "ServerName" to use the new server hostname in Apache config file.

*) Mail #2 is generated by program "logwatch" (actually, it's triggered by cron job too).

Your Postfix config file looks fine, no idea why emails were sent to root@mydomain.org, it should be sent to "postmaster@mydomain.org" (as defined in /etc/postfix/aliases) instead.

14

Re: Connection

ZhangHuangbin wrote:

*) Mail #1 is generated by cron jobs. You should update parameter "ServerName" to use the new server hostname in Apache config file.

okay, I will work on that.

ZhangHuangbin wrote:

*)
*) Mail #2 is generated by program "logwatch" (actually, it's triggered by cron job too).

I was able to get some additional reports from the logwatch.

ZhangHuangbin wrote:

*)
Your Postfix config file looks fine, no idea why emails were sent to root@mydomain.org, it should be sent to "postmaster@mydomain.org" (as defined in /etc/postfix/aliases) instead.

Yes, that's what I 've been thinking about. Do I have to do a "postalias /etc/postfix/aliases" to fix this problem ? Please see the line "postmaster: root" in /etc/postfix/aliases. It is weird. Why is it again forwarding to the root ?

15

Re: Connection

"postmaster: root", this "postmaster" is system user, not virtual mail user stored in SQL/LDAP.

16 (edited by aniyan.rajan6 2013-05-21 16:27:08)

Re: Connection

http://cilab.math.upatras.gr/mikeagn/co … ed-systems

This works for me, but only for the logwatch emails. The other emails are still going to root@mydomain.

It would be better if there is only one place to modify (one file) and to forward all the emails to postmaster.