1

Topic: Outbound connecitons

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Deployed with iRedMail Easy or the downloadable installer? easy installer
- Linux/BSD distribution name and version: ubuntu 14
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi guys

We periodically see outbound connections FROM our iredmail server (sitting in a private LAN behind a firewall) to external ip address: 96.5.1.5

The connection gets blocked, but i want to understand what outbound connections would be initiated by iredmail server that are not checking for updates, or actual outgoing mail to external mail servers.

The IP points to an address in the US as a corporate ISP:
IP:    96.5.1.5
Decimal:    1610940677
Hostname:    smtp1i.ena.net
ASN:    11686
ISP:    Education Networks of America
Organization:    Education Networks of America
Services:    None detected

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Outbound connecitons

- Check Postfix log file, who / which application / which system user sent this email?
- If no relevant log in Postfix log file, maybe some application initialized that connection. Did you install any other software(s) on this server AFTER iRedMail installation?

3

Re: Outbound connecitons

If you check:
  dig smtp1i.ena.net txt
You see that it has an spf record pointing to _spf.ena.net
Now if you do:
  dig _spf.ena.net txt
It shows that ip4 address 96.5.1.0/28  is listed as a valid sender of emails for the mail domain ena.net

Now do this:
  dig  ena.net mx
You see that the valid MX servers does not include smtp1i.ena.net (10.5.1.5)

This probably means that this server is used to send emails, and the others (MX hosts) are for receiving.
Probably  you have received an email from 10.5.1.5 that got bounced from Your side, or a delivery notification trying to be send, and the other end refuses to receive.

Check the maillog and the mailq. Does it include entries mentioning the 10.5.1.5 or smtpi.ena.net?