1 (edited by trio1234 2018-07-02 20:02:44)

Topic: What happend here ?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi i always recibed a mail  from  another domain.
In this case the inbox is ventas@quierotodo.com.ar
but the mail  is send to ventas@proempre.com.ar no in the mail server.
can u help me to know what is the problem ?
Thx

Return-Path: <ywwehyw@prision.co.ua>
Delivered-To: ventas@quierotodo.com.ar
Received: from mail.server.com (localhost [127.0.0.1])
    by mail.server.com (Postfix) with ESMTP id B7180204E2
    for <ventas@quierotodo.com.ar>; Sun,  1 Jul 2018 21:19:21 -0300 (-03)
X-Virus-Scanned: Debian amavisd-new at server.com.ar
Received: from mail.server.com ([127.0.0.1])
    by mail.server.com (mail.server.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 0CgidmGBIPjY for <ventas@quierotodo.com.ar>;
    Sun,  1 Jul 2018 21:19:16 -0300 (-03)
Received: from mail.prision.co.ua (mail.prision.co.ua [213.202.252.120])
    by mail.server.com (Postfix) with ESMTP id 446611FE3D
    for <info@quierotodo.com.ar>; Sun,  1 Jul 2018 21:19:16 -0300 (-03)
Received: from prision.co.ua (mail.prision.co.ua [213.202.252.120])
    by mail.prision.co.ua (Postfix) with ESMTPA id 6542865DBF;
    Mon,  2 Jul 2018 00:21:06 +0300 (EEST)
Message-ID: <ywwehyw56523432.26703024@mail.prision.co.ua>
Reply-To: "News Dating" <ywwehyw@prision.co.ua>
From: "News Dating" <ywwehyw@prision.co.ua>
To: <ventas@proempre.com.ar>
Subject: Online-Dating
Date: Mon, 02 Jul 2018 00:21:12 +0300
MIME-Version: 1.0
Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_0018_01D4119A.6C17C580"
Precedence: bulk
List-Id: b13712180v66014865
X-Complaints-To: abuse@prision.co.ua
List-Unsubscribe: <http://prision.co.ua/ru/unsubscribe/do? … 0628801448>

This is a multi-part message in MIME format.

------=_NextPart_000_0018_01D4119A.6C17C580
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0019_01D4119A.6C17C580"

------=_NextPart_000_0019_01D4119A.6C17C580
Content-Type: text/plain;
    charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A
------=_NextPart_000_0019_01D4119A.6C17C580
Content-Type: text/html;
    charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>=0D=0A<META http-equiv=3D"Content-Type" content=3D"te=
xt/html; charset=3Dwindows-1251">=0D=0A</HEAD>=0D=0A<BODY bgColor=
=3D#ffaec9>=0D=0A<DIV align=3Dcenter><FONT size=3D2 face=3DArial>=
<A href=3D"http://chinov.co.ua/chinov1/"><IMG border=3D0 hspace=3D=
0 alt=3D"" src=3D"cid:9179901d4119a0952f555006342c68@ywwehyw" wid=
th=3D708 height=3D637></A></FONT></DIV></BODY></HTML>=0D=0A

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: What happend here ?

trio1234 wrote:

In this case the inbox is ventas@quierotodo.com.ar
but the mail  is send to ventas@proempre.com.ar no in the mail server.

Does "ventas@proempre.com.ar" have a mail forwarding setting and forward email to "ventas@quierotodo.com.ar"?

3 (edited by trio1234 2018-07-03 22:08:56)

Re: What happend here ?

ZhangHuangbin wrote:
trio1234 wrote:

In this case the inbox is ventas@quierotodo.com.ar
but the mail  is send to ventas@proempre.com.ar no in the mail server.

Does "ventas@proempre.com.ar" have a mail forwarding setting and forward email to "ventas@quierotodo.com.ar"?

I dont know proempre.com.ar  domain  and  the dns not point to my server :S

10     mx1.proempre.com.ar     190.228.29.30
Telecom Argentina S.A. (AS7303)
    60 min     Blacklist Check      SMTP Test
10     mx2.proempre.com.ar     190.228.29.28
Telecom Argentina S.A. (AS7303)
    60 min     Blacklist Check      SMTP Test
10     mx3.proempre.com.ar     190.228.30.246
Telecom Argentina S.A. (AS7303)
    60 min     Blacklist Check      SMTP Test
10     mx4.proempre.com.ar     190.228.29.32

Mx point to   another server!

I recived  another  domains like this
Sry my english inst very good?
What can be the problem here ?
Thx

4

Re: What happend here ?

You need to check Postfix log file to figure out who sent this email:

- sent from which IP address?
- sent by any (smtp) authenticated user?

5

Re: What happend here ?

ZhangHuangbin wrote:

You need to check Postfix log file to figure out who sent this email:

- sent from which IP address?
- sent by any (smtp) authenticated user?

Jul  1 21:00:55 mail postfix/postscreen[16292]: CONNECT from [193.169.252.20]:65474 to [xx.xx.xx.xxx]:25
Jul  1 21:00:55 mail postfix/postscreen[16292]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: retained=128 dropped=5 entries
Jul  1 21:00:55 mail postfix/postscreen[16292]: PREGREET 11 after 0.11 from [193.169.252.20]:65474: EHLO User\r\n
Jul  1 21:00:55 mail postfix/postscreen[16292]: DISCONNECT [193.169.252.20]:65474
Jul  1 21:19:15 mail postfix/postscreen[16585]: CONNECT from [213.202.252.120]:58864 to [xx.xx.xx.xxx]:25
Jul  1 21:19:15 mail postfix/postscreen[16585]: PASS OLD [213.202.252.120]:58864
Jul  1 21:19:16 mail postfix/smtpd[16588]: connect from mail.prision.co.ua[213.202.252.120]
Jul  1 21:19:16 mail postfix/smtpd[16588]: 446611FE3D: client=mail.prision.co.ua[213.202.252.120]
Jul  1 21:19:16 mail postfix/cleanup[16594]: 446611FE3D: message-id=<ywwehyw56523432.26703024@mail.prision.co.ua>
Jul  1 21:19:16 mail opendkim[621]: 446611FE3D: mail.prision.co.ua [213.202.252.120] not internal
Jul  1 21:19:16 mail opendkim[621]: 446611FE3D: not authenticated
Jul  1 21:19:16 mail postfix/qmgr[1439]: 446611FE3D: from=<ywwehyw@prision.co.ua>, size=98282, nrcpt=1 (queue active)
Jul  1 21:19:16 mail postfix/smtpd[16588]: disconnect from mail.prision.co.ua[213.202.252.120]
Jul  1 21:19:21 mail postfix/smtpd[16602]: connect from localhost[127.0.0.1]
Jul  1 21:19:21 mail postfix/smtpd[16602]: B7180204E2: client=localhost[127.0.0.1]
Jul  1 21:19:21 mail postfix/cleanup[16594]: B7180204E2: message-id=<ywwehyw56523432.26703024@mail.prision.co.ua>
Jul  1 21:19:21 mail opendkim[621]: B7180204E2: no signing table match for 'ywwehyw@prision.co.ua'
Jul  1 21:19:21 mail postfix/qmgr[1439]: B7180204E2: from=<ywwehyw@prision.co.ua>, size=98764, nrcpt=1 (queue active)
Jul  1 21:19:21 mail postfix/smtpd[16602]: disconnect from localhost[127.0.0.1]
Jul  1 21:19:21 mail amavis[32325]: (32325-16) Passed CLEAN {RelayedInbound}, [213.202.252.120]:58864 [213.202.252.120] <ywwehyw@prision.co.ua> -> <ventas@quierotodo.com.ar>, Queue-ID: 446611FE3D, Message-ID: <ywwehyw56523432.26703024@mail.prision.co.ua>, mail_id: 0CgidmGBIPjY, Hits: 0.207, size: 98248, queued_as: B7180204E2, 5147 ms, Tests: [HTML_IMAGE_ONLY_04=0.342,HTML_MESSAGE=0.001,HTML_SHORT_LINK_IMG_1=0.139,MAILING_LIST_MULTI=-1,MPART_ALT_DIFF=0.724,SPF_PASS=-0.001,TVD_SPACE_RATIO=0.001,URIBL_BLOCKED=0.001]
Jul  1 21:19:21 mail postfix/smtp[16599]: 446611FE3D: to=<ventas@quierotodo.com.ar>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.6, delays=0.39/0.04/0.01/5.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B7180204E2)
Jul  1 21:19:21 mail postfix/qmgr[1439]: 446611FE3D: removed
Jul  1 21:19:21 mail postfix/pipe[16603]: B7180204E2: to=<ventas@quierotodo.com.ar>, relay=dovecot, delay=0.13, delays=0.05/0.02/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service)
Jul  1 21:19:21 mail postfix/qmgr[1439]: B7180204E2: removed


What is going  on ?
thx

6 (edited by trio1234 2018-07-06 19:50:41)

Re: What happend here ?

trio1234 wrote:
ZhangHuangbin wrote:

You need to check Postfix log file to figure out who sent this email:

- sent from which IP address?
- sent by any (smtp) authenticated user?

Jul  1 21:00:55 mail postfix/postscreen[16292]: CONNECT from [193.169.252.20]:65474 to [xx.xx.xx.xxx]:25
Jul  1 21:00:55 mail postfix/postscreen[16292]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: r
...

ZhangHuangbin Today i recibed another mail in other of the domains.
i have configured 2 domains   on server ,  and said the mail arrived 15:30 on July 5.
But when i search the ID in mail.log  i find this.

Jul  6 04:13:01 mail postfix/smtpd[10855]: connect from localhost[127.0.0.1]
Jul  6 04:13:01 mail postfix/smtpd[10855]: F286824491: client=localhost[127.0.0.1]
Jul  6 04:13:01 mail postfix/cleanup[10847]: F286824491: message-id=<ocvykvw33100825.55750148@mail.prision.co.ua>
Jul  6 04:13:02 mail opendkim[621]: F286824491: no signing table match for 'ocvykvw@prision.co.ua'
Jul  6 04:13:02 mail postfix/qmgr[1439]: F286824491: from=<ocvykvw@prision.co.ua>, size=19150, nrcpt=1 (queue active)
Jul  6 04:13:02 mail postfix/smtpd[10855]: disconnect from localhost[127.0.0.1]
Jul  6 04:13:02 mail amavis[11442]: (11442-11) Passed CLEAN {RelayedInbound}, [213.202.252.120]:42362 [213.202.252.120] <ocvykvw@prision.co.ua> -> <ventas@quierotodo.com.ar>, Queue-ID: D8E3A2447F, Message-ID: <ocvykvw33100825.55750148@mail.prision.co.ua>, mail_id: c3tw_F-_XfEy, Hits: 1.531, size: 18636, queued_as: F286824491, 3931 ms, Tests: [HTML_IMAGE_ONLY_08=1.781,HTML_IMAGE_RATIO_04=0.61,HTML_MESSAGE=0.001,HTML_SHORT_LINK_IMG_1=0.139,MAILING_LIST_MULTI=-1,SPF_PASS=-0.001,URIBL_BLOCKED=0.001]
Jul  6 04:13:02 mail postfix/smtp[10852]: D8E3A2447F: to=<ventas@quierotodo.com.ar>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.2, delays=0.22/0.02/0/3.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as F286824491)
Jul  6 04:13:02 mail postfix/qmgr[1439]: D8E3A2447F: removed
Jul  6 04:13:02 mail postfix/pipe[10856]: F286824491: to=<ventas@quierotodo.com.ar>, relay=dovecot, delay=0.07, delays=0.01/0.01/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service)
Jul  6 04:13:02 mail postfix/qmgr[1439]: F286824491: removed


Thx alot

7

Re: What happend here ?

trio1234 wrote:

Jul  6 04:13:01 mail postfix/smtpd[10855]: connect from localhost[127.0.0.1]
Jul  6 04:13:01 mail postfix/smtpd[10855]: F286824491: client=localhost[127.0.0.1]
Jul  6 04:13:01 mail postfix/cleanup[10847]: F286824491: message-id=<ocvykvw33100825.55750148@mail.prision.co.ua>

This email was submitted locally, probably sent by webmail. But if sent by roundcube webmail, it will perform smtp auth and you will get the smtp auth username here.

8

Re: What happend here ?

ZhangHuangbin wrote:
trio1234 wrote:

Jul  6 04:13:01 mail postfix/smtpd[10855]: connect from localhost[127.0.0.1]
Jul  6 04:13:01 mail postfix/smtpd[10855]: F286824491: client=localhost[127.0.0.1]
Jul  6 04:13:01 mail postfix/cleanup[10847]: F286824491: message-id=<ocvykvw33100825.55750148@mail.prision.co.ua>

This email was submitted locally, probably sent by webmail. But if sent by roundcube webmail, it will perform smtp auth and you will get the smtp auth username here.

Hi ZhangHuangbin  , thx  for the reply.
Round cube  is off  by default.
the php mail logs no show nothing.
mail.log no say nothing  about  smtp auth
I was think , maybe i have some malware on my server :S
What u thing?
Thx alot

9

Re: What happend here ?

Do you have any other web applications besides Roundcube? SOGo? other php application?

10

Re: What happend here ?

Yes  Prestashop

11

Re: What happend here ?

Does your "Prestashop" offers mail sending feature? Does the smtp feature require smtp auth?

12 (edited by trio1234 2018-07-08 22:27:06)

Re: What happend here ?

ZhangHuangbin wrote:

Does your "Prestashop" offers mail sending feature? Does the smtp feature require smtp auth?

No only mail  whit  php mail .

13

Re: What happend here ?

This doesn't answer my questions. sad

14

Re: What happend here ?

ZhangHuangbin wrote:

This doesn't answer my questions. sad

Prestashop have the option to put some SMT server but i never configured this.
Only send mail from php mail.
Thx ZhangHuangbin

I watch the log but i cant find who is log   in the smtp server  , how can i search this ?
Thx Again!

15

Re: What happend here ?

trio1234 wrote:

Prestashop have the option to put some SMT server but i never configured this.
Only send mail from php mail.

Probably the email was sent by Prestashop.
Try to use SMTP AUTH for email sending.

16

Re: What happend here ?

ZhangHuangbin wrote:
trio1234 wrote:

Prestashop have the option to put some SMT server but i never configured this.
Only send mail from php mail.

Probably the email was sent by Prestashop.
Try to use SMTP AUTH for email sending.

Today enter another mail
This is my iredpad.log

2018-07-11 16:30:32 INFO [89.163.129.46] Client has not been seen before, greylisted.
2018-07-11 16:30:32 INFO [89.163.129.46] RCPT, ydfucvj@fillatione.biz.ua -> info@quierotodo.com.ar, 451 4.7.1 Intentional policy rejection, please try again later [0.0177s]
2018-07-11 16:57:17 INFO [89.163.129.46] Client has passed the greylisting, accept this email and whitelist client for 30 days.
2018-07-11 16:57:17 INFO [89.163.129.46] RCPT, ydfucvj@fillatione.biz.ua -> info@quierotodo.com.ar, DUNNO [0.0166s]
2018-07-11 16:57:17 INFO [89.163.129.46] END-OF-MESSAGE, ydfucvj@fillatione.biz.ua -> info@quierotodo.com.ar, DUNNO [0.0046s]
2018-07-11 16:57:46 INFO [167.89.57.136] Client is whitelisted for greylisting service: (id=9568275, sender=167.89.0.0/17, comment="AUTO-UPDATE: cloudflare.com")

17

Re: What happend here ?

Which one are you refer to?

- First 2 lines are greylisting service, no email entered queue.
- 3rd line means client passed greylisting service and whitelisted for greylisting service.
- 4-5 lines means iRedAPD performed policy checks for this email and hand over (DUNNO) to postfix for further policy checks.

What's the Postfix log related to this email AND this IP?

18

Re: What happend here ?

ZhangHuangbin wrote:

Which one are you refer to?

- First 2 lines are greylisting service, no email entered queue.
- 3rd line means client passed greylisting service and whitelisted for greylisting service.
- 4-5 lines means iRedAPD performed policy checks for this email and hand over (DUNNO) to postfix for further policy checks.

What's the Postfix log related to this email AND this IP?

Jul 11 16:30:26 mail postfix/postscreen[30518]: CONNECT from [89.163.129.46]:41945 to [xx.xx.xx.xx]:25
Jul 11 16:30:32 mail postfix/postscreen[30518]: PASS NEW [89.163.129.46]:41945
Jul 11 16:30:32 mail postfix/smtpd[30519]: connect from mail.fillatione.biz.ua[89.163.129.46]
Jul 11 16:30:32 mail postfix/smtpd[30519]: NOQUEUE: reject: RCPT from mail.fillatione.biz.ua[89.163.129.46]: 451 4.7.1 <info@quierotodo.com.ar>: Recipient address rejected: Intentional policy rejection, please try again later; from=<ydfucvj@fillatione.biz.ua> to=<info@quierotodo.com.ar> proto=ESMTP helo=<mail.fillatione.biz.ua>
Jul 11 16:30:32 mail postfix/smtpd[30519]: disconnect from mail.fillatione.biz.ua[89.163.129.46]
Jul 11 16:57:16 mail postfix/postscreen[31088]: CONNECT from [89.163.129.46]:42443 to [xx.xx.xx.xx]:25
Jul 11 16:57:16 mail postfix/postscreen[31088]: PASS OLD [89.163.129.46]:42443
Jul 11 16:57:16 mail postfix/smtpd[31089]: connect from mail.fillatione.biz.ua[89.163.129.46]
Jul 11 16:57:17 mail postfix/smtpd[31089]: 19749203FC: client=mail.fillatione.biz.ua[89.163.129.46]
Jul 11 16:57:17 mail opendkim[621]: 19749203FC: mail.fillatione.biz.ua [89.163.129.46] not internal
Jul 11 16:57:17 mail postfix/smtpd[31089]: disconnect from mail.fillatione.biz.ua[89.163.129.46]
Jul 11 16:57:22 mail amavis[28872]: (28872-03) Passed CLEAN {RelayedInbound}, [89.163.129.46]:42443 [89.163.129.46] <ydfucvj@fillatione.biz.ua> -> <ventas@quierotodo.com.ar>, Queue-ID: 19749203FC, Message-ID: <ydfucvj16862838.85184845@mail.fillatione.biz.ua>, mail_id: Wi2DmeoKS1-0, Hits: 0.922, size: 11553, queued_as: 1B3A720409, 4834 ms, Tests: [HTML_IMAGE_ONLY_08=1.781,HTML_IMAGE_RATIO_08=0.001,HTML_MESSAGE=0.001,HTML_SHORT_LINK_IMG_1=0.139,MAILING_LIST_MULTI=-1,SPF_PASS=-0.001,URIBL_BLOCKED=0.001]
Jul 11 17:02:31 mail postfix/postscreen[31214]: CONNECT from [89.163.129.46]:57040 to [xx.xx.xx.xx]:25
Jul 11 17:02:31 mail postfix/postscreen[31214]: PASS OLD [89.163.129.46]:57040
Jul 11 17:02:31 mail postfix/smtpd[31215]: connect from mail.fillatione.biz.ua[89.163.129.46]
Jul 11 17:02:31 mail postfix/smtpd[31215]: 8E634203FC: client=mail.fillatione.biz.ua[89.163.129.46]
Jul 11 17:02:31 mail opendkim[621]: 8E634203FC: mail.fillatione.biz.ua [89.163.129.46] not internal
Jul 11 17:02:31 mail postfix/smtpd[31215]: disconnect from mail.fillatione.biz.ua[89.163.129.46]
Jul 11 17:02:38 mail amavis[28872]: (28872-04) Passed CLEAN {RelayedInbound}, [89.163.129.46]:57040 [89.163.129.46] <avyemkv@fillatione.biz.ua> -> <jess@labolonia.com.ar>, Queue-ID: 8E634203FC, Message-ID: <avyemkv45850721.61730866@mail.fillatione.biz.ua>, mail_id: PJomTqV6tgK3, Hits: 0.922, size: 11543, queued_as: A472020409, 6837 ms, Tests: [HTML_IMAGE_ONLY_08=1.781,HTML_IMAGE_RATIO_08=0.001,HTML_MESSAGE=0.001,HTML_SHORT_LINK_IMG_1=0.139,MAILING_LIST_MULTI=-1,SPF_PASS=-0.001,URIBL_BLOCKED=0.001]
Jul 11 17:07:16 mail postfix/anvil[31091]: statistics: max connection rate 1/60s for (smtpd:89.163.129.46) at Jul 11 16:57:16
Jul 11 17:07:16 mail postfix/anvil[31091]: statistics: max connection count 1 for (smtpd:89.163.129.46) at Jul 11 16:57:16