1 Topic by mujeerhashmi

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Topic: Backscattered EMail Issue: PORT 25 blocked

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.7
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: Ubuntu 22.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Of late i am getting a lot of backscatterd emails on my email ID & postmaster id. I followed the topics and tried with postfix configurations & it is not helping much to stop these emails. The header of a undelivered email looks like this.

Return-Path: <mujeerhashmi@4csolutions.in>
Received: from mail.4csolutions.in (mail.4csolutions.in [127.0.0.1])
    by mail.4csolutions.in (Postfix) with ESMTP id 4SWgxR4SkSzQpJv
    for <termil77@gmail.com>; Fri, 17 Nov 2023 08:05:39 +0530 (IST)
Authentication-Results: mail.4csolutions.in (amavisd-new);
    dkim=pass (2048-bit key) reason="pass (just generated, assumed good)"
    header.d=4csolutions.in
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=4csolutions.in;
    h=subject:content-type:from:to:message-id:date:mime-version; s=
    dkim; t=1700188539; x=1702780540; bh=E0QSKXJYQTKmnJSr2t2Hjkvogjk
    OmpPv5ndm9StV0A8=; b=Zg+doLRHIjyn6ThaLBdodVPvx9PrMP5xyIoBmybBgI7
    wXID5fySV8VDE/X0eppwo+l9ERl2s739Na6RAGXQfN/UE1Jz0RuD5Xvr5nd3hcWr
    bY0QWJ1RnoZJ5+8JiAO+K5ppYHe1amo+XJMh1BGRp4AwzCSpVvkdwF2b3eDD23eG
    X/agDdxQ/5L28CVO8mUW4mgQS9/2Br7HnP3J926aAonfwEAChiEeh+RbanurfQAt
    LhAFEaHPBTt/GX2hm7bHAeDLnc6whQ1H9P8mBXb6ChYpZE2IOlaxWbzAyl+q0+Lu
    3gcFKXapCphvNzgoSiuugM4BKGNOjX6QH04H9wS8F8g==
X-Virus-Scanned: Debian amavisd-new at mail.4csolutions.in
Received: from mail.4csolutions.in ([127.0.0.1])
    by mail.4csolutions.in (mail.4csolutions.in [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id GRHfQTNZdPqI for <termil77@gmail.com>;
    Fri, 17 Nov 2023 08:05:39 +0530 (IST)
Received: from ORBVTA59M731TMMG (unknown [167.71.41.76])
    by mail.4csolutions.in (Postfix) with ESMTPSA id 4SWgxR2n7czQpK1
    for <termil77@gmail.com>; Fri, 17 Nov 2023 08:05:39 +0530 (IST)
MIME-Version: 1.0
Date: Fri, 17 Nov 2023 05:35:39 +0300
Message-ID: <1700188539-ee151ac000d3feed8fe223cf9b33c882@4csolutions.in>
To: termil77@gmail.com
From: mujeerhashmi@4csolutions.in
Content-Type: multipart/alternative; boundary="c2ia4f9xlzn7eyzun9n1dyw"
Subject: Hello..! The best lonely girls here! IEM :w9xnz

Kindly Assist in fixing this. I have attached the postfix configuration file as well.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 823

Re: Backscattered EMail Issue: PORT 25 blocked

Sure, it is clearly originating from your mailserver and gets rejected because of spam/scam
This is not backscatter, that is a breached mailaccount sending out spam mails

3 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 823

Re: Backscattered EMail Issue: PORT 25 blocked

https://www.abuseipdb.com/check/167.71.41.76

It is hosted in germany, so you can contact their abuse facility

4 Reply by mujeerhashmi (edited by mujeerhashmi 2023-11-22 23:09:44)

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Re: Backscattered EMail Issue: PORT 25 blocked

I have changed password for my mail account and I am not able to see the sent mail in my sent folder.
The IP keeps changing with different undelivered emails. Is it some kind a bot ??

5 Reply by chris.23lo (edited by chris.23lo 2023-11-23 01:22:36)

  • chris.23lo
  • Member
  • Offline
  • Registered: 2022-06-30
  • Posts: 35

Re: Backscattered EMail Issue: PORT 25 blocked

Hi

it can be complicated ....do u use sogo or roundcube
ans also

https://docs.iredmail.org/allow.certain … .user.html

is possible but there are a lot to  check in  custom configuration

do u configure open relay at port 25 by accident or no authentication required ??

6 Reply by mujeerhashmi

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Re: Backscattered EMail Issue: PORT 25 blocked

We do use roundcube.
These are my postfix configuration for sender restrictions. We have enabled reject_sender_login_mismatch

# Sender restrictions
smtpd_sender_restrictions =
    reject_invalid_hostname
    reject_unknown_recipient_domain
    reject_unauth_pipelining
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    reject_non_fqdn_sender
    reject_unlisted_sender
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    reject_unknown_sender_domain
    reject_sender_login_mismatch

smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

mynetworks = 127.0.0.1

Settings in Master.cnf 

smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd

7 Reply by mujeerhashmi

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Re: Backscattered EMail Issue: PORT 25 blocked

The logs in maillog

Nov 23 13:52:55 mail postfix/qmgr[1859896]: 4SXjSp0ynrzQtMb: from=<postmaster@4csolutions.in>, size=3419, nrcpt=1 (queue active)
Nov 23 13:52:55 mail postfix/error[1868288]: 4SYN2P1NV5znvfs: to=<youchoc@yahoo.fr>, relay=none, delay=301027, delays=301027/0.01/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25: Connection timed out)
Nov 23 13:52:55 mail postfix/qmgr[1859896]: 4SYTyX0x0qzZ1jq: from=<postmaster@4csolutions.in>, size=9377, nrcpt=1 (queue active)

8 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 823

Re: Backscattered EMail Issue: PORT 25 blocked

This due to outbound Port 25 closed and not related to your spam problem

9 Reply by mujeerhashmi (edited by mujeerhashmi 2023-11-23 21:20:19)

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Re: Backscattered EMail Issue: PORT 25 blocked

Cthulhu wrote:

This due to outbound Port 25 closed and not related to your spam problem

Yeah I had closed it for having reached connection limit.

Any other ways i can fix this. The issue persists. I have deleted one of the email causing this issue and included it for rejection in sender access.

Another email address from my domain is being used for spoofing. But I cannot delete, its required.

10 Reply by mujeerhashmi (edited by mujeerhashmi 2023-11-23 21:53:55)

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Re: Backscattered EMail Issue: PORT 25 blocked

This is another set of mail logs after starting postfix. I have deleted (postmaster at 4csolutions dot in) account already and changed aliases.

Nov 23 19:03:02 mail postfix/smtp[1880807]: Anonymous TLS connection established to extmail.optusnet.com.au[211.29.133.14]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
Nov 23 19:03:02 mail postfix/smtp[1880891]: Trusted TLS connection established to eur.olc.protection.outlook.com[104.47.18.161]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 23 19:03:03 mail postfix/error[1880969]: 4SZ2C71MVtzTJVP: to=<luciosantoni1949@libero.it>, relay=none, delay=227244, delays=227244/0.06/0/0.01, dsn=4.0.0, status=deferred (delivery temporarily suspended: host smtp-in.libero.it[213.209.1.129] refused to talk to me: 550 smtp-22.iol.local smtp-22.iol.local IP blacklisted by CSI. For remediation please use http://csi.cloudmark.com/reset-request/?ip=38.242.193.115  [smtp-22.iol.local; LIB_102])
Nov 23 19:03:03 mail postfix/qmgr[1880782]: 4SYWZ44YzBzd2Bj: removed
Nov 23 19:03:03 mail postfix/smtp[1880927]: Trusted TLS connection established to mta6.am0.yahoodns.net[98.136.96.74]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Nov 23 19:03:03 mail postfix/smtp[1880865]: 4SYfYB4VHgz19W48: to=<billyc994@aol.com>, relay=mx-aol.mail.gm0.yahoodns.net[67.195.204.75]:25, delay=280384, delays=280382/0.56/2.1/0.09, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[67.195.204.75] said: 421 4.7.0 [TSS04] Messages from 38.242.193.115 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Nov 23 19:03:03 mail postfix/qmgr[1880782]: 4SYTj51JKqzYjMQ: from=<postmaster@4csolutions.in>, size=8866, nrcpt=1 (queue active)
Nov 23 19:03:03 mail postfix/error[1880966]: 4SZscC4SlQzj4h7: to=<w.bierbaum@gmx.at>, relay=none, delay=109875, delays=109875/0.03/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx00.emig.gmx.net[212.227.15.9] refused to talk to me: 554-gmx.net (mxgmx008) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554 For explanation visit postmaster.gmx.net/de/case?c=r0601&i=ip&v=38.242.193.115&r=1MRk0e-1quaHb23Ug-00VhbG)
Nov 23 19:03:03 mail postfix/qmgr[1880782]: 4SYCrK4SYMzmkPv: from=<postmaster@4csolutions.in>, size=20335, nrcpt=1 (queue active)
Nov 23 19:03:03 mail postfix/qmgr[1880782]: 4SZkpL17fKzZ4qq: from=<postmaster@4csolutions.in>, size=3248, nrcpt=1 (queue active)

11 Reply by mujeerhashmi (edited by mujeerhashmi 2023-11-24 12:37:25)

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Re: Backscattered EMail Issue: PORT 25 blocked

How can i reject email like this

'Violetta Palmieri <postmaster@4csolutions.in>'

Where the display name is spoofed.

12 Reply by Cthulhu (edited by Cthulhu 2023-11-24 20:09:50)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 823

Re: Backscattered EMail Issue: PORT 25 blocked

First of all, you need the postmaster account since it is used to login to the webinterface, it is the admin account

The Mails are not spoofed, they were send out from your mailserver and were DKIM singned, due to a breached mail account

This resulted in your mailserver IP address beeing listed on blacklists for abuse

then it seems that you don't have a PTR for your mailserver IP, which is crucial

did you check your mailq?
With that many defered mails i guess there is a shitton of mails in the q which should get removed asap

Aswell:
your mailserver is unreachable
your TLS cert is invalid (only for www.) and thus doesn't match hostname
sender login mismatch is handled by iredapd, you should not tinker with any configurations if you don't know what exactly you are doing


And:

How did your password get breached? You should sanititize your accounts and get some knowledge  of maintaining a mailserver

13 Reply by mujeerhashmi (edited by mujeerhashmi 2023-11-24 22:10:31)

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Re: Backscattered EMail Issue: PORT 25 blocked

Cthulhu wrote:

First of all, you need the postmaster account since it is used to login to the webinterface, it is the admin account

I have another admin account which can be used for login on webinterface.

Cthulhu wrote:

The Mails are not spoofed, they were send out from your mailserver and were DKIM singned, due to a breached mail account

I changed the passwords for breached account which was postmaster & one more account. Is this not enough for securing the breached account ?

Cthulhu wrote:

This resulted in your mailserver IP address beeing listed on blacklists for abuse
then it seems that you don't have a PTR for your mailserver IP, which is crucial

I have created the PTR record now.
How to get unlisted from blacklist ?

Are these steps enough to stop receiving new mails from breached account ?

Cthulhu wrote:

did you check your mailq?
With that many defered mails i guess there is a shitton of mails in the q which should get removed asap

I found this when i analysed my disk usage and Yes,I cleared them all (~1.7M).

Cthulhu wrote:

Aswell:
your mailserver is unreachable
your TLS cert is invalid (only for www.) and thus doesn't match hostname
sender login mismatch is handled by iredapd, you should not tinker with any configurations if you don't know what exactly you are doing

And:

How did your password get breached? You should sanititize your accounts and get some knowledge  of maintaining a mailserver

I don't know how it got breached. Agree with you, I have learnt a lot through this experience about maintaining a mail server. Went through the architecture document of iRedMail & is now clear to me about the components & their interactions. Still a long way to go.

I am developer & not a devops guy so far. Thanks for the patience and support for a noob like me. Highly Appreciate it.

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Backscattered EMail Issue: PORT 25 blocked

I guess you may forgot one thing: although the account was deleted, but there may be many emails still queued by Postfix and Postfix is slowing sending them out. You should remove queued messages (under /var/spool/postfix/) sent by this account too.

Usually changing account password and clean up queued spams should fix this issue, unless it turns out to be another story.

15 Reply by mujeerhashmi

  • mujeerhashmi
  • Member
  • Offline
  • Registered: 2023-11-22
  • Posts: 9

Re: Backscattered EMail Issue: PORT 25 blocked

ZhangHuangbin wrote:

Usually changing account password and clean up queued spams should fix this issue, unless it turns out to be another story.

Thank you. It was a breached account with ~1.7M mails in the queue. I had changed the password & deleted one of the account. But the queue was not cleared. Later when i cleared the queue things have sorted out for us.

Thanks again.