Tattwam
Level 1 (5 points)
Servers Enterprise

Q: Stop Spamming going through Server

Hello

 

We are having OS X Server 5.0.15 on OS X El Capitan.

We are unable to send Emails as there are lots of deferred mails. When I go to terminal -> sudo mailq , It gives me a very large amount of data.

I tried to clear the mail queue through command : sudo postfix flush but it returned : "can not flush mail queue - mail system is down (actually mail system is not down)

I also tried : sudo postsuper -d ALL but it also didn't solve my issue.

Due to large number of emails in the queue, any new messages sent from these server are not being sent.

 

Can anyone help me? It is urgent.

 

Also is there any option to check the Email account which is being used to send spam emails? Actually I can not find anything meaningful in SMTP Log in the server app.

 

SMTP Logs :

 

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: mail for gmail.com is using up 15515 of 19999 active queue entries

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: this may slow down other mail deliveries

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: you may need a separate master.cf transport for gmail.com

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: please avoid flushing the whole queue when you have

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: lots of deferred mail, that is bad for performance

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0

Dec 10 16:43:02 server postfix/smtp[14885]: warning: valid_hostname: empty hostname

Dec 10 16:43:02 server postfix/smtp[14885]: warning: malformed domain name in resource data of MX record for yahpoo.com:

Dec 10 16:44:38 server postfix/smtp[15714]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:45:21 server postfix/smtp[16873]: warning: no MX host for my.cvcc.edu has a valid address record

Dec 10 16:46:56 server postfix/smtp[11603]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: mail for gmail.com is using up 15643 of 20000 active queue entries

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: this may slow down other mail deliveries

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: please avoid flushing the whole queue when you have

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: lots of deferred mail, that is bad for performance

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0

Dec 10 16:49:27 server postfix/smtp[17271]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:50:21 server postfix/smtp[17248]: warning: valid_hostname: empty hostname

Dec 10 16:50:21 server postfix/smtp[17248]: warning: malformed domain name in resource data of MX record for yahooo.com:

Dec 10 16:50:24 server postfix/smtp[16561]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:50:39 server postfix/smtpd[11190]: warning: hostname 201.14.127.218.brasiltelecom.net.br does not resolve to address 201.14.127.218: nodename nor servname provided, or not known

Dec 10 16:51:32 server postfix/smtpd[11190]: warning: Illegal address syntax from hal.grp7mail.com[64.79.109.20] in RCPT command: <rdiamente@comcast..net>

Dec 10 16:52:42 server postfix/qmgr[5739]: warning: connect to transport private/smtp-amavis: Connection refused

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: mail for gmail.com is using up 15650 of 20000 active queue entries

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: this may slow down other mail deliveries

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: please avoid flushing the whole queue when you have

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: lots of deferred mail, that is bad for performance

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0

Dec 10 16:53:56 server postfix/qmgr[5739]: warning: connect to transport private/smtp-amavis: Connection refused

Dec 10 16:54:46 server postfix/smtp[16155]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:55:36 server postfix/smtp[17267]: warning: valid_hostname: numeric hostname: 0

Dec 10 16:55:36 server postfix/smtp[17267]: warning: malformed domain name in resource data of MX record for viahealth.org: 0

Dec 10 16:55:38 server postfix/smtp[17192]: warning: valid_hostname: empty hostname

Dec 10 16:55:38 server postfix/smtp[17192]: warning: malformed domain name in resource data of MX record for yahoomail.com:

Dec 10 16:55:48 server postfix/smtp[16386]: warning: valid_hostname: empty hostname

Dec 10 16:55:48 server postfix/smtp[16386]: warning: malformed domain name in resource data of MX record for canada.com:

Dec 10 16:57:30 server postfix/postsuper[17879]: warning: bogus file name: incoming/556938.79056

Dec 10 16:58:28 server postfix/smtpd[17900]: warning: hostname static-17-154-25-46.ipcom.comunitel.net does not resolve to address 46.25.154.17: nodename nor servname provided, or not known

Mac mini, OS X El Capitan (10.11.1)

Posted on Dec 10, 2015 3:55 AM

Close
Tattwam

Q: Stop Spamming going through Server

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Dec 10, 2015 3:37 PM in response to Tattwam
    Level 10 (207,941 points)
    Applications
    Dec 10, 2015 3:37 PM in response to Tattwam

    It looks like you're spamming Gmail. Is this server supposed to be accessible from outside your network?

  • by Tattwam,

    Tattwam Tattwam Dec 10, 2015 7:33 PM in response to Linc Davis
    Level 1 (5 points)
    Servers Enterprise
    Dec 10, 2015 7:33 PM in response to Linc Davis

    Actually it isn't supposed to be. Only server mail are supposed to be accessible from outside network. What to do to stop this spamming?

  • by Linc Davis,

    Linc Davis Linc Davis Dec 10, 2015 9:29 PM in response to Tattwam
    Level 10 (207,941 points)
    Applications
    Dec 10, 2015 9:29 PM in response to Tattwam

    You need to edit the file /Library/Server/Mail/Config/postfix/main.cf:

     

    http://www.postfix.org/SMTPD_ACCESS_README.html

  • by UptimeJeff,

    UptimeJeff UptimeJeff Dec 13, 2015 6:44 PM in response to Tattwam
    Level 4 (3,477 points)
    Dec 13, 2015 6:44 PM in response to Tattwam

    To clear the queue (deleting all mail from queue)

    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin//postsuper -d ALL

  • by Tattwam,

    Tattwam Tattwam May 12, 2016 11:23 PM in response to UptimeJeff
    Level 1 (5 points)
    Servers Enterprise
    May 12, 2016 11:23 PM in response to UptimeJeff

    Will it affect any other mails? Just want to confirm that this command will delete mails from mail queue only.

  • by Ivan Robertovich,

    Ivan Robertovich Ivan Robertovich May 13, 2016 1:10 PM in response to Tattwam
    Level 1 (48 points)
    Servers Enterprise
    May 13, 2016 1:10 PM in response to Tattwam

    BY any chance, do you have websites hosted on this server?    joomla, Drupal, Wordpress, or any other php based application?

     

    I ask because it doesn't look like you have an open relay, but it does seem like you have a remote connection trying to send spam using your server.   That can happen in a number of ways, but the three most likely are:

    1) open smtp relay;

    2) web host malware (such as infected Wordpress site); or,

    3) hacked user credentials. 

     

    Yyou can check the imap log to see if there are odd remote connections issuing send commands ... If so, then the problem is 1 or 2. 

     

    To test for #2, turn off websites and see if it stops. 

  • by Tattwam,

    Tattwam Tattwam May 13, 2016 7:17 PM in response to Ivan Robertovich
    Level 1 (5 points)
    Servers Enterprise
    May 13, 2016 7:17 PM in response to Ivan Robertovich

    Thanks Ivan for replying.

     

    We are using Roundcube webmail app and only that web page is being hosted. It is also on SSL.

    Still I can not understand that if it is not an open relay, how my server is sending lots of spam mails.

     

    Once the issue has been found, I can not do anything as I didn't get any solution to stop or delete outgoing mail queue.

     

    It would be better if anybody can elaborate above command line as POSTSUPER -d ALL command is not working for me.

     

    Also I can not find user id is that is being used to send mails in SMTP logs. That's disappointing.

     

    Waiting for your reply. Thanks

  • by Ivan Robertovich,

    Ivan Robertovich Ivan Robertovich May 13, 2016 8:23 PM in response to Tattwam
    Level 1 (48 points)
    Servers Enterprise
    May 13, 2016 8:23 PM in response to Tattwam

    the IMAP log should give you more clues.

     

    your server is receiving commands to send those spams.  There are the only three vectors that are most likely above.   Either someone installed malware in your web hosting, and the php module is receiving the remote commands.   (test this by turning off php and python...  round cube won't work while off, but it'll help you find the source of the spam).

     

    If you are able to pinpoint when the problem started, that can help you compare backups to the current install to find malware.  You can try clamxav or maldet to scan for it, but be sure it can scan your /Library/Server/ folder and your web installation folders.

     

    The other vectors for your computer to get spam are someone's mail account is hacked or their computer is hacked.  Track this down by examine the IMAP log.

     

    Another vector is an smtp relay...   you can check for this using mxtools.   go here:  http://mxtoolbox.com/diagnostic.aspx

     

    I don't know enough about the mail spool command above to answer that part of your question.  

     

    GOOD LUCK!

  • by Ivan Robertovich,

    Ivan Robertovich Ivan Robertovich May 13, 2016 8:29 PM in response to Tattwam
    Level 1 (48 points)
    Servers Enterprise
    May 13, 2016 8:29 PM in response to Tattwam

    Tattwam wrote:

     

     

    Once the issue has been found, I can not do anything as I didn't get any solution to stop or delete outgoing mail queue.

     

    It would be better if anybody can elaborate above command line as POSTSUPER -d ALL command is not working for me.

     

     

    check here:  https://topicdesk.com/faqs/why-do-postconf-n-and-postfix-reload-produce-unexpect ed-output-on-os-x-server-5/

     

    and here:  https://topicdesk.com/faqs/os-x-server-mail-services/managing-the-mail-queue/

     

     

    for more examples on how post super works, see this page:   http://www.faqforge.com/linux/server/manage-the-postfix-mailqueue-with-postsuper -postqueue-und-mailq/

     

    hope those help you figure out what each does so you can accomplish what you want.

  • by Tattwam,

    Tattwam Tattwam May 15, 2016 11:03 PM in response to Ivan Robertovich
    Level 1 (5 points)
    Servers Enterprise
    May 15, 2016 11:03 PM in response to Ivan Robertovich

    Hello Ivan,

    Thank you for the reply.

     

    I have gone through links provided by you. But I am still not able to delete the mail queue. Sudo Postsuper -d ALL gives no result. There are about 20000 mails present in the queue that slow down other mail deliveries.

     

    What if I setup another OS X Server on different machine and move mail data to that machine? Will it also migrate the outgoing mail queue?

     

    Ivan Robertovich wrote:

     

    the IMAP log should give you more clues.

    Unfortunately in console app or in Server app, I am unable to see older logs.

    Ivan Robertovich wrote:

     

    You can try clamxav or maldet to scan for it, but be sure it can scan your /Library/Server/ folder and your web installation folders.

    Can you explain how can I do this?

     

    Thanks in advance