1

Topic: Too many undelivered mail?

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 12.04
- Related log if you're reporting an issue:
====

Hi Zhang,
One of my users are receiving a lot of these emails

From: MAILER-DAEMON@mail.mydomain.ph (Mail Delivery System)
Date: March 8, 2014 4:03:54 PM GMT+08:00
To: user@mydomain.com.ph
Subject: Undelivered Mail Returned to Sender

This is the mail system at host mail.mydomain.ph.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                  The mail system

<courtneyanne1991@yahoo.com>: host mta6.am0.yahoodns.net[98.138.112.37] said:
   554 Message not allowed - [PH01] Email not accepted for policy reasons.
   Please visit http://postmaster.yahoo.com/errors/postmaster-27.html [120]
   (in reply to end of DATA command)
Reporting-MTA: dns; mail.mydomain.ph
X-Postfix-Queue-ID: 18DDA81109
X-Postfix-Sender: rfc822; user@mydomain.com.ph
Arrival-Date: Sat,  8 Mar 2014 16:03:51 +0800 (PHT)

Final-Recipient: rfc822; courtneyanne1991@yahoo.com
Original-Recipient: rfc822;courtneyanne1991@yahoo.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mta6.am0.yahoodns.net
Diagnostic-Code: smtp; 554 Message not allowed - [PH01] Email not accepted for
   policy reasons.  Please visit
   http://postmaster.yahoo.com/errors/postmaster-27.html [120]

From: "Virginia Theater" <vc.theater@yahoo.com>
Date: March 8, 2014 4:02:30 PM GMT+08:00
To: "Eric Cook" <agenthatchet@gmail.com>, "Stephen Cram" <stephenpaul56@verizon.net>, "Sandra Cramer" <idiwit2002@msn.com>, "dacooper" <dacooper@wcnet.org>, "Tony Laura Damon" <LDAMON@woh.rr.com>, "Tim Yvonne Dennis" <tadennis@wcnet.org>, "Mark Detamore" <markdetamore1@yahoo.com>, "dlnaus" <dlnaus@wcnet.org>, "Rita Driver" <radriver2000@aol.com>, "Rita and Tim driver" <rdriver@woh.rr.com>, "joyce Durliat" <durliat@juno.com>, "Vince Eatherton" <vince1776@wmconnect.com>, "Tiffani Eberflus" <mrsebs37@aol.com>, "Donna Eckman" <deckman@woh.rr.com>, "Laura Eisel" <laurakay43@wmconnect.com>, "Howard Elliott" <theboyes@aol.com>, "Ernsbergers" <ernsberg@netscape.net>, "Kali Findley" <kaliforniabungalow@yahoo.com>, "Courtney Franz" <courtneyanne1991@yahoo.com>, "Bonnie G" <dagchewy@yahoo.com>
Subject: Virginia Theater
Reply-To: vc.theater@yahoo.com


http://delarbol.com/rjok/foxx_news.php
Virginia Theater

From what I have noticed, all emails are almost the same with the link on the last line that changes domain but still foxx_news.php on its end is consistent.
So I thought this user is sending email spam, but he said he's not sending anything. He is also using the mail app in Mac.

Any thoughts on how to stop this?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Too many undelivered mail?

1) Does this user use a weak password?
2) Can you find any related log of sent spam from this user in Postfix log file?
3) Show us output of command "postconf -n" to help troubleshoot please.

3

Re: Too many undelivered mail?

ZhangHuangbin wrote:

1) Does this user use a weak password?
2) Can you find any related log of sent spam from this user in Postfix log file?
3) Show us output of command "postconf -n" to help troubleshoot please.

1. I don't think he is using a weak password. When we migrated the email, the password plugin from roundcube asks for a combination of letters and numbers with at least 8 chars (if i remember it).
I already asks him to change his password.

2. some logs i have found to a particular email.

Mar 13 21:04:40 mail postfix/smtp[13069]: E94AA81139: to=<melly1302@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[74.125.193.26]:25, delay=80333, delays=80318/0/6.4/9, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[74.125.193.26] said: 421-4.7.0 [202.60.9.16      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit http://www.google.com/mail/help/bulk_mail. 421 4.7.0 html to review our Bulk Email Senders Guidelines. j9si65452igv.0 - gsmtp (in reply to end of DATA command))
Mar 13 22:14:24 mail postfix/qmgr[30989]: E94AA81139: from=<user@mydomain.com.ph>, size=1757, nrcpt=1 (queue active)
Mar 13 22:14:27 mail postfix/smtp[16873]: E94AA81139: host gmail-smtp-in.l.google.com[74.125.25.27] said: 421-4.7.0 [202.60.9.16      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit http://www.google.com/mail/help/bulk_mail. 421 4.7.0 html to review our Bulk Email Senders Guidelines. tu7si1521226pac.388 - gsmtp (in reply to end of DATA command)
Mar 13 22:14:29 mail postfix/smtp[16873]: E94AA81139: to=<melly1302@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[74.125.193.27]:25, delay=84523, delays=84518/0.02/3.4/1.5, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[74.125.193.27] said: 421-4.7.0 [202.60.9.16      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit http://www.google.com/mail/help/bulk_mail. 421 4.7.0 html to review our Bulk Email Senders Guidelines. y8si3703073icp.17 - gsmtp (in reply to end of DATA command))
Mar 13 23:24:24 mail postfix/qmgr[30989]: E94AA81139: from=<user@mydomain.com.ph>, size=1757, nrcpt=1 (queue active)
Mar 13 23:24:26 mail postfix/smtp[20127]: E94AA81139: host gmail-smtp-in.l.google.com[74.125.25.26] said: 421-4.7.0 [202.60.9.16      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit http://www.google.com/mail/help/bulk_mail. 421 4.7.0 html to review our Bulk Email Senders Guidelines. a3si1657170pay.430 - gsmtp (in reply to end of DATA command)
Mar 13 23:24:31 mail postfix/smtp[20127]: E94AA81139: to=<melly1302@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[74.125.193.26]:25, delay=88724, delays=88718/0.02/3.4/2.9, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[74.125.193.26] said: 421-4.7.0 [202.60.9.16      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit http://www.google.com/mail/help/bulk_mail. 421 4.7.0 html to review our Bulk Email Senders Guidelines. qm1si2612565igc.36 - gsmtp (in reply to end of DATA command))
Mar 13 23:24:31 mail postfix/qmgr[30989]: E94AA81139: from=<user@mydomain.com.ph>, status=expired, returned to sender
Mar 13 23:24:31 mail postfix/bounce[20253]: E94AA81139: sender non-delivery notification: 1DD58810D8
Mar 13 23:24:31 mail postfix/qmgr[30989]: E94AA81139: removed
root@mail:/var/log# cat mail.log | grep "Mar 13 23:24:31"
Mar 13 23:24:31 mail postfix/smtp[20127]: E94AA81139: to=<melly1302@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[74.125.193.26]:25, delay=88724, delays=88718/0.02/3.4/2.9, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[74.125.193.26] said: 421-4.7.0 [202.60.9.16      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit http://www.google.com/mail/help/bulk_mail. 421 4.7.0 html to review our Bulk Email Senders Guidelines. qm1si2612565igc.36 - gsmtp (in reply to end of DATA command))
Mar 13 23:24:31 mail postfix/qmgr[30989]: E94AA81139: from=<user@mydomain.com.ph>, status=expired, returned to sender
Mar 13 23:24:31 mail postfix/cleanup[19605]: 1DD58810D8: message-id=<20140313152431.1DD58810D8@mail.mydomain.ph>
Mar 13 23:24:31 mail postfix/bounce[20253]: E94AA81139: sender non-delivery notification: 1DD58810D8
Mar 13 23:24:31 mail postfix/qmgr[30989]: 1DD58810D8: from=<>, size=4517, nrcpt=1 (queue active)
Mar 13 23:24:31 mail postfix/qmgr[30989]: E94AA81139: removed
Mar 13 23:24:31 mail postfix/pipe[20216]: 1DD58810D8: to=<user@mydomain.com.ph>, relay=dovecot, delay=0.28, delays=0.07/0/0/0.2, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 13 23:24:31 mail postfix/qmgr[30989]: 1DD58810D8: removed

3. postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 24h
message_size_limit = 125829120
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = mydomain.ph
myhostname = mail.mydomain.ph
mynetworks = 127.0.0.0/8 [our public ip block is here] [ip block of our internal lan]
mynetworks_style = subnet
myorigin = mail.mydomain.ph
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail/mailbox
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

So I guess one of my users is sending spam email. Or it could be someone is using his identity to send emails.
How do I trouble shoot this? My client is an important person.

4

Re: Too many undelivered mail?

nerdtron09 wrote:

2. some logs i have found to a particular email.

These log entries are useless. We need full smtp session related log in Postfix log file of these spams, starts with client connected, ends with client disconnected.