Postfix überlastet?

[dgawin]

Hallo!

Ich bin zwar neu hier, habe aber bereits die Suche benutzt und leider nichts zu meinem Problem gefunden.

Vielleicht kann ja jemand helfen:

Ich betreibe einen Postfix mit folgender Konfiguration:

main.cfg

mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual, hash:/etc/postfix/confixx_virtualUsers, hash:/etc/postfix/confixx_localDomains
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = p15135790.pureserver.info
program_directory = /usr/lib/postfix

masquerade_domains =
mydestination = $myhostname, localhost.$mydomain
defer_transports =
disable_dns_lookups = no
disable_vrfy_command = yes
relayhost =
content_filter =
mailbox_command = /usr/bin/procmail
mailbox_transport =
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions = permit_sasl_authenticated,
smtpd_helo_required = no
smtpd_helo_restrictions =
strict_rfc821_envelopes = yes

#smtpd_recipient_restrictions = permit_sasl_authenticated,
#				permit_mynetworks,
#				reject_unauth_destination,
#				reject_non_fqdn_sender,
#				reject_unknown_sender_domain
#

smtpd_recipient_restrictions = permit_sasl_authenticated, 
	
	   reject_non_fqdn_sender,
         reject_non_fqdn_recipient,
	   reject_unknown_sender_domain,
         reject_unknown_recipient_domain,
#
         permit_mynetworks,
         reject_unauth_destination,
#
         check_recipient_access		hash:/etc/postfix/roles,
         check_client_access		hash:/etc/postfix/bl_excepts,
#         reject_rbl_client		relays.ordb.org
         reject_rbl_client		list.dsbl.org
         reject_rbl_client		cbl.abuseat.org
#         reject_rbl_client		ix.dnsbl.manitu.net 		
#
 	  check_sender_access		hash:/etc/postfix/rhsbl_excepts,
         reject_rhsbl_sender		dsn.rfc-ignorant.org
         reject_rhsbl_sender		rhsbl.sorbs.net
#	  reject_rhsbl_sender		ix.dnsbl.manitu.net 	
#

smtp_sasl_auth_enable = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 10240000

#SMTPD Auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtp_use_tls = yes

#TLS Support
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_CAfile = /etc/ssl/certs/p15135790.pureserver.info-sample-ca.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

html_directory = /usr/share/doc/packages/postfix/html

mail.warn

Jun 24 11:23:21 p15135790 postfix/smtp[17927]: warning: numeric domain name in resource data of MX record for us.sina.com: 202.85.139.119
Jun 24 11:23:23 p15135790 postfix/smtp[17872]: warning: valid_hostname: empty hostname
Jun 24 11:23:23 p15135790 postfix/smtp[17872]: warning: malformed domain name in resource data of MX record for yehoo.com: 
Jun 24 11:23:27 p15135790 postfix/smtp[17959]: warning: valid_hostname: invalid character 42(decimal): *.mx.*
Jun 24 11:23:27 p15135790 postfix/smtp[17959]: warning: malformed domain name in resource data of MX record for uproar.com: *.mx.*
Jun 24 11:23:54 p15135790 postfix/smtp[17960]: warning: valid_hostname: empty hostname
Jun 24 11:23:54 p15135790 postfix/smtp[17960]: warning: malformed domain name in resource data of MX record for yahooo.com: 

das log ist voll damit!

mail.err

....

Jun 24 11:39:01 p15135790 spamc[20356]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused
Jun 24 11:39:02 p15135790 spamc[20356]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused
Jun 24 11:39:03 p15135790 spamc[20356]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused
Jun 24 11:39:04 p15135790 spamc[20356]: connection attempt to spamd aborted after 3 retries

....

das "mail" log ist bereits 53 MB groß und wächst ständig weiter... drin stehen tausende solcher zeilen:

mail

Jun 24 11:45:45 p15135790 postfix/smtp[20182]: 49E5D40561E: to=<tawasumc@placementsolution.com>, relay=none, delay=393897, status=deferred (connect to placementsolution.com[65.182.166.221]: No route to host)
Jun 24 11:45:45 p15135790 postfix/smtp[20182]: 49E5D40561E: to=<terfrqntv@placementsolution.com>, relay=none, delay=393897, status=deferred (connect to placementsolution.com[65.182.166.221]: No route to host)
Jun 24 11:45:45 p15135790 postfix/smtp[20182]: 49E5D40561E: to=<tgb301@placementsolution.com>, relay=none, delay=393897, status=deferred (connect to placementsolution.com[65.182.166.221]: No route to host)
Jun 24 11:45:45 p15135790 postfix/smtp[20182]: 49E5D40561E: to=<thchance@placementsolution.com>, relay=none, delay=393897, status=deferred (connect to placementsolution.com[65.182.166.221]: No route to host)
Jun 24 11:45:45 p15135790 postfix/smtp[20182]: 49E5D40561E: to=<vasquez@placementsolution.com>, relay=none, delay=393897, status=deferred (connect to placementsolution.com[65.182.166.221]: No route to host)
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<castro@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<jim893@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<mccoy@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<smoothiegirl16@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<snans_2002@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<soul911@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<sparksnv@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<sspillman@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<ssyrstad.mf@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<sthrncrs@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<stolljii@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<tabby24@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<thundrball@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:46 p15135790 postfix/smtp[20177]: 49E5D40561E: to=<timing7@planetwebdesign.com>, relay=mail.entangledweb.net[216.15.238.130], delay=393898, status=deferred (host mail.entangledweb.net[216.15.238.130] said: 450 sorry, mailbox currently unavailable (#4.7.1) (in reply to RCPT TO command))
Jun 24 11:45:51 p15135790 postfix/smtp[20197]: connect to esignal.com[216.23.232.38]: Connection timed out (port 25)
Jun 24 11:45:53 p15135790 postfix/smtp[20171]: connect to msy.bellsouth.net[205.152.58.130]: Connection timed out (port 25)
Jun 24 11:45:53 p15135790 postfix/smtp[20110]: connect to marconi.nscc.ns.ca[142.227.37.1]: Connection timed out (port 25)
Jun 24 11:45:53 p15135790 postfix/smtp[20110]: 9E504428541: to=<eet31@marconi.nscc.ns.ca>, relay=none, delay=386354, status=deferred (connect to marconi.nscc.ns.ca[142.227.37.1]: Connection timed out)
Jun 24 11:45:53 p15135790 postfix/smtp[20110]: 9E504428541: to=<eet45@marconi.nscc.ns.ca>, relay=none, delay=386354, status=deferred (connect to marconi.nscc.ns.ca[142.227.37.1]: Connection timed out)
Jun 24 11:45:53 p15135790 postfix/smtp[20110]: 9E504428541: to=<hoban@marconi.nscc.ns.ca>, relay=none, delay=386354, status=deferred (connect to marconi.nscc.ns.ca[142.227.37.1]: Connection timed out)
Jun 24 11:45:53 p15135790 postfix/smtp[20110]: 9E504428541: to=<pwr8@marconi.nscc.ns.ca>, relay=none, delay=386354, status=deferred (connect to marconi.nscc.ns.ca[142.227.37.1]: Connection timed out)
Jun 24 11:45:53 p15135790 postfix/smtp[20110]: 9E504428541: to=<robertdc@marconi.nscc.ns.ca>, relay=none, delay=386354, status=deferred (connect to marconi.nscc.ns.ca[142.227.37.1]: Connection timed out)

Kann es sein das unser Server bald auf allen Blacklists steht? Oder sind das nur die normalen Meldungen wenn Postfix sich weigert SPAM zu verschicken?
Bitte dringend um Hilfe...

Der Administrator der den Server vorher betreut hat, ist leider nicht mehr bei uns tätig...

 

[elias5000]

Das sind astreine Spams - kann schon sein, dass ihr damit auf die Blacklists kommt.
Jetzt erstmal den Postfix stoppen, um weiteren Schaden abzuwenden.

Da die Mails den ganzen Auszug lang immer die selbe Queue-ID haben, tippe ich mal auf ein Mailer-Script auf dem Webserver, in das sich CC- und BCC-Header einschmugeln lassen.
Das musst du finden und löschen oder fixen.

Danach die Mail-Queue löschen, bevor der Postfix wieder gestartet werden darf.

 

[dgawin]

okay,

postfix ist gestoppt!

queue ist geleert...

aber wie finde ich jetzt das "böse" script? apache access_logs enthalten keine seite wirklich oft und wenn dann wurden sie vom google-bot oä. aufgerufen.

muss/sollte ich an meiner postfix konfiguration noch was ändern?

 

[elias5000]

Poste mal bitte den Output von:

cat /var/log/mail |grep 9E504428541|grep -v deferred

Da sollte die Zeile enthalten sein, mit der die Mail eingeliefert wurde.
Das gibt den entscheidenden Hinweis, wo die Energien am besten eingesetzt werden können.

 

[dgawin]

So,

hier das Ergebnis:

Jun 24 05:07:58 p15135790 postfix/qmgr[16578]: 9E504428541: from=<wwwrun@p15135790.pureserver.info>, size=14061, nrcpt=368 (queue active)
Jun 24 06:31:22 p15135790 postfix/qmgr[16578]: 9E504428541: from=<wwwrun@p15135790.pureserver.info>, size=14061, nrcpt=368 (queue active)
Jun 24 07:54:38 p15135790 postfix/qmgr[16578]: 9E504428541: from=<wwwrun@p15135790.pureserver.info>, size=14061, nrcpt=368 (queue active)
Jun 24 09:18:01 p15135790 postfix/qmgr[16578]: 9E504428541: from=<wwwrun@p15135790.pureserver.info>, size=14061, nrcpt=368 (queue active)
Jun 24 10:41:25 p15135790 postfix/qmgr[16578]: 9E504428541: from=<wwwrun@p15135790.pureserver.info>, size=14061, nrcpt=368 (queue active)
Jun 24 11:15:59 p15135790 postfix/qmgr[17865]: 9E504428541: from=<wwwrun@p15135790.pureserver.info>, size=14061, nrcpt=368 (queue active)
Jun 24 11:36:52 p15135790 postfix/qmgr[20099]: 9E504428541: from=<wwwrun@p15135790.pureserver.info>, size=14061, nrcpt=368 (queue active)
Jun 24 12:06:33 p15135790 postfix/qmgr[21449]: 9E504428541: from=<wwwrun@p15135790.pureserver.info>, size=14061, nrcpt=368 (queue active)

 

[elias5000]

Also der Webserver isses schonmal. Welches Script es jetzt ist, lässt sich im Nachhinein nicht über den Mailserver bestimmen.

Jetzt musst du mal reflektieren, was so alles auf dem Webserver läuft.
So einer Liste kann man dann die Kandidaten entnehmen, die sich eingehender anzuschauen lohnt.

Eine Liste der Möglichen Scripte/Code-Zeilen bekommst du auch mit grep nach "mail(".

egrep -rin 'mail\s*\(' /path/to/web/root

Der Output täte mich auch interessieren. An den Parametern, die im Funktionsazfruf stehen, kann man die Verdächtigen erkennen.

 

[dgawin]

Danke!

Es gab tatsächlich einige Scripte die verdächtig aussahen. Ich habe diese erst mal gelöscht, bzw. überarbeitet.

Nachdem ich huschi.net - Über meinen Server werden Spam's verschickt! installiert habe, konnte ich leider bis auf meine Test keinen Eintrag darin finden.

Anscheinend habe ich den Übeltäter bis auf weiteres eliminiert!

Super Hilfe hier...