1 Topic by PSonic (edited by PSonic 2021-03-16 19:00:35)

  • PSonic
  • Member
  • Offline
  • Registered: 2021-03-16
  • Posts: 5

Topic: To much information on log, is some type of attack?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx (+ Apache for PHPList)
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello to this fantastic community.
Last week my server worked very well, received and send emails very quickly. But this week it take a lot time to delivery in some domains and other like "gmail" never arrives. May be I have severals problems.

I made this server to work with PHPList, I suspect these problems started when I send my first campagain for 840 e-mails.

First maybe I need a clean log, but that I found on it. With my search "barracudacentral" and "spamhaus" is a blacklist monitor, but why my server is "under attack"? Like every second I see this.

("xx.xx.xx.xx" is my server ip that I removed for share the log)
-----------------------
"Mar 16 10:39:53 news postfix/postscreen[2333]: CONNECT from [212.70.149.85]:16484 to [xx.xx.xx.xx]:25
Mar 16 10:39:53 news postfix/dnsblog[2335]: addr 212.70.149.85 listed by domain b.barracudacentral.org as 127.0.0.2
Mar 16 10:39:53 news postfix/dnsblog[2335]: addr 212.70.149.85 listed by domain zen.spamhaus.org as 127.0.0.10
Mar 16 10:39:53 news postfix/dnsblog[2335]: addr 212.70.149.85 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 16 10:39:55 news postfix/postscreen[2333]: PREGREET 11 after 1.6 from [212.70.149.85]:16484: EHLO User\r\n
Mar 16 10:39:55 news postfix/postscreen[2333]: DISCONNECT [212.70.149.85]:16484
Mar 16 10:40:10 news postfix/postscreen[2333]: CONNECT from [212.70.149.55]:55268 to [xx.xx.xx.xx]:25
Mar 16 10:40:10 news postfix/dnsblog[2335]: addr 212.70.149.55 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 16 10:40:10 news postfix/dnsblog[2335]: addr 212.70.149.55 listed by domain zen.spamhaus.org as 127.0.0.10
Mar 16 10:40:10 news postfix/dnsblog[2334]: addr 212.70.149.55 listed by domain b.barracudacentral.org as 127.0.0.2"

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by PSonic

  • PSonic
  • Member
  • Offline
  • Registered: 2021-03-16
  • Posts: 5

Re: To much information on log, is some type of attack?

New update,

My emails was delivery on gmail, but on SPAM folder. I will make the necessary changes to fix that. One less problem!

I detected another error on my log:
“warning: do not list domain xxxxxx.xxxxxxx.xxx in BOTH mydestination and virtual_mailbox_domains”

I fixed and the barracudacentral and spamhaus was diferent, not every single second, is like every 5min and the 127.0.0.x changed too
---------

Mar 16 14:23:31 news postfix/postscreen[545]: CONNECT from [37.49.225.170]:50616 to [xx.xx.xx.xx]:25
Mar 16 14:23:31 news postfix/dnsblog[546]: addr 37.49.225.170 listed by domain b.barracudacentral.org as 127.0.0.2
Mar 16 14:23:31 news postfix/dnsblog[546]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.11
Mar 16 14:23:31 news postfix/dnsblog[546]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 16 14:23:31 news postfix/dnsblog[546]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.3
Mar 16 14:23:31 news postfix/postscreen[545]: PREGREET 11 after 0.03 from [37.49.225.170]:50616: EHLO User\r\n
Mar 16 14:23:31 news postfix/postscreen[545]: DISCONNECT [37.49.225.170]:50616
Mar 16 14:25:42 news postfix/postscreen[637]: CONNECT from [71.6.135.131]:44582 to [xx.xx.xx.xx]:25
Mar 16 14:25:42 news postfix/dnsblog[639]: addr 71.6.135.131 listed by domain zen.spamhaus.org as 127.0.0.3
Mar 16 14:25:44 news postfix/postscreen[637]: PREGREET 22 after 2 from [71.6.135.131]:44582: EHLO U6wV7cHGbP9.com\r\n
Mar 16 14:25:44 news postfix/postscreen[637]: DISCONNECT [71.6.135.131]:44582
Mar 16 14:28:23 news postfix/postscreen[764]: CONNECT from [89.207.129.50]:34198 to [xx.xx.xx.xx]:25
Mar 16 14:28:23 news postfix/dnsblog[765]: addr 89.207.129.50 listed by domain b.barracudacentral.org as 127.0.0.2
Mar 16 14:28:29 news postfix/postscreen[764]: DNSBL rank 2 for [89.207.129.50]:34198
Mar 16 14:28:29 news postfix/postscreen[764]: DISCONNECT [89.207.129.50]:34198
Mar 16 14:32:33 news postfix/postscreen[982]: CONNECT from [37.49.225.170]:57610 to [xx.xx.xx.xx]:25
Mar 16 14:32:33 news postfix/dnsblog[983]: addr 37.49.225.170 listed by domain b.barracudacentral.org as 127.0.0.2
Mar 16 14:32:33 news postfix/dnsblog[983]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.11
Mar 16 14:32:33 news postfix/dnsblog[983]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 16 14:32:33 news postfix/dnsblog[983]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.3
Mar 16 14:32:33 news postfix/postscreen[982]: PREGREET 11 after 0.03 from [37.49.225.170]:57610: EHLO User\r\n
Mar 16 14:32:33 news postfix/postscreen[982]: DISCONNECT [37.49.225.170]:57610

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: To much information on log, is some type of attack?

PSonic wrote:

I fixed and the barracudacentral and spamhaus was diferent, not every single second, is like every 5min and the 127.0.0.x changed too

This is normal. they're DNSBL service, Postfix queries a hostname (with client IP address in it) against them, then they return a private internal address to indicate something. It's mentioned in Postfix document: http://www.postfix.org/postconf.5.html# … nsbl_sites
You may want to know more about the DNSBL service too.

4 Reply by PSonic

  • PSonic
  • Member
  • Offline
  • Registered: 2021-03-16
  • Posts: 5

Re: To much information on log, is some type of attack?

Thank you so much ZhangHuangbin for your reply.

More reading!!! big_smile
I never install a email server, the last 2 weeks I read and learn a lot. I never thinking they are need so many rules for email services!!

5 Reply by PSonic

  • PSonic
  • Member
  • Offline
  • Registered: 2021-03-16
  • Posts: 5

Re: To much information on log, is some type of attack?

But I need see that on log, can I hide it?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: To much information on log, is some type of attack?

PSonic wrote:

But I need see that on log, can I hide it?

Hide what?

7 Reply by PSonic

  • PSonic
  • Member
  • Offline
  • Registered: 2021-03-16
  • Posts: 5

Re: To much information on log, is some type of attack?

ZhangHuangbin wrote:
PSonic wrote:

But I need see that on log, can I hide it?

Hide what?

This type of text:
Mar 16 14:32:33 news postfix/dnsblog[983]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.11
Mar 16 14:32:33 news postfix/dnsblog[983]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.4
Mar 16 14:32:33 news postfix/dnsblog[983]: addr 37.49.225.170 listed by domain zen.spamhaus.org as 127.0.0.3
Mar 16 14:32:33 news postfix/postscreen[982]: PREGREET 11 after 0.03 from [37.49.225.170]:57610: EHLO User\r\n
Mar 16 14:32:33 news postfix/postscreen[982]: DISCONNECT [37.49.225.170]:57610

Or something is wrong with my server? Because you say that messages are normal, if so can I hide it?

8 Reply by Fastidious

  • Fastidious
  • Member
  • Offline
  • Registered: 2021-02-28
  • Posts: 40

Re: To much information on log, is some type of attack?

Just let it be. The log will be rotated, and eventually overwritten.