Koozali.org: home of the SME Server

mail in uscita a utenti sconosciuti

Offline ello

  • ****
  • 153
  • +0/-0
mail in uscita a utenti sconosciuti
« on: December 30, 2022, 12:40:53 PM »
buon giorno
Mi ritrovo con un problema sull email, ho un server sme 10 configurato come server-gateway e controller di dominio, sette utenti, nome dominio miaazienda.it e server di posta configurato su nome dominio.
da circa una una settimana da due utenti partono, senza nessuna azione da parte degli utenti, migliaia di e-mail a utenti sconosciuti. Mi sono ritrovato in una situazione simile a tre anni fà e con l'aiuto di Fumetto e di qmHandle risolvei il problema, ora invece la coda si rigenera ogni volta questa e la mia configurazione:

config show qpsmtpd
Code: [Select]
qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DKIMSigning=enabled
    DNSBL=disabled
    Instances=40
    InstancesPerIP=5
    LogLevel=6
    MaxScannerSize=25000000
    MaximumDateOffset=0
    PatternsScan=disabled
    Proxy=transparent
    RBLList=bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
    TCPPort=25
    TCPProxyPort=25
    TlsBeforeAuth=1
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=disabled
    VirusScan=enabled
    access=public
    qplogsumm=disabled
    status=enabled
    tnef2mime=enabled

tail -f  /var/log/qmail/current | tai64nlocal
Code: [Select]
2022-12-30 12:33:18.833825500 new msg 1077589914
2022-12-30 12:33:18.833826500 info msg 1077589914: bytes 6319 from <noreply-dmarc-support@google.com> qp 31665 uid 400
2022-12-30 12:33:18.899622500 starting delivery 18: msg 1077589914 to local admin@sme.studiogelda.it
2022-12-30 12:33:18.899623500 status: local 2/20 remote 0/20
2022-12-30 12:33:18.899651500 delivery 17: success: did_1+0+1/
2022-12-30 12:33:18.899888500 status: local 1/20 remote 0/20
2022-12-30 12:33:18.899889500 end msg 1077589910
2022-12-30 12:33:18.916513500 delivery 18: success: did_1+0+1/
2022-12-30 12:33:18.916646500 status: local 0/20 remote 0/20
2022-12-30 12:33:18.916683500 end msg 1077589914
2022-12-30 12:36:53.860294500 warning: unable to stat mess/0/1075550449
2022-12-30 12:36:53.860808500 new msg 1077589910
2022-12-30 12:36:53.860809500 info msg 1077589910: bytes 5568 from <abuse@seznam.cz> qp 31699 uid 453
2022-12-30 12:36:53.918753500 starting delivery 19: msg 1077589910 to local alias-localdelivery-dmarc-feedback@studiogelda.it
2022-12-30 12:36:53.918760500 status: local 1/20 remote 0/20
2022-12-30 12:36:53.968770500 warning: unable to stat mess/0/1075550449
2022-12-30 12:36:53.969039500 new msg 1075186061
2022-12-30 12:36:53.969040500 info msg 1075186061: bytes 5701 from <abuse@seznam.cz> qp 31702 uid 400
2022-12-30 12:36:54.010522500 delivery 19: success: forward:_qp_31702/did_0+0+1/
2022-12-30 12:36:54.010832500 status: local 0/20 remote 0/20
2022-12-30 12:36:54.010834500 starting delivery 20: msg 1075186061 to local dmarc-feedback@sme.studiogelda.it
2022-12-30 12:36:54.010835500 status: local 1/20 remote 0/20
2022-12-30 12:36:54.010836500 end msg 1077589910
2022-12-30 12:36:54.060834500 warning: unable to stat mess/0/1075550449
2022-12-30 12:36:54.060835500 new msg 1077589910
2022-12-30 12:36:54.060836500 info msg 1077589910: bytes 5818 from <abuse@seznam.cz> qp 31705 uid 400
2022-12-30 12:36:54.110820500 starting delivery 21: msg 1077589910 to local alias-localdelivery-admin@studiogelda.it
2022-12-30 12:36:54.110829500 status: local 2/20 remote 0/20
2022-12-30 12:36:54.110854500 delivery 20: success: did_0+1+0/qp_31705/
2022-12-30 12:36:54.111039500 status: local 1/20 remote 0/20
2022-12-30 12:36:54.111041500 end msg 1075186061
2022-12-30 12:36:54.160896500 warning: unable to stat mess/0/1075550449
2022-12-30 12:36:54.161125500 new msg 1075186061
2022-12-30 12:36:54.161126500 info msg 1075186061: bytes 5942 from <abuse@seznam.cz> qp 31708 uid 400
2022-12-30 12:36:54.202741500 starting delivery 22: msg 1075186061 to local admin@sme.studiogelda.it
2022-12-30 12:36:54.202765500 status: local 2/20 remote 0/20
2022-12-30 12:36:54.202791500 delivery 21: success: forward:_qp_31708/did_0+0+1/
2022-12-30 12:36:54.202934500 status: local 1/20 remote 0/20
2022-12-30 12:36:54.202948500 end msg 1077589910
2022-12-30 12:36:54.219774500 delivery 22: success: did_1+0+1/
2022-12-30 12:36:54.219980500 status: local 0/20 remote 0/20
2022-12-30 12:36:54.219982500 end msg 1075186061

ovviamente ringrazio anticipatamente per l'aiuto ricevuto

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: mail in uscita a utenti sconosciuti
« Reply #1 on: December 30, 2022, 11:36:04 PM »
from the qmail log you post i can only see email getting in(mostly from sezman.cz).  none trying to get out.

can you post a short output of the qmailhandle list


have you any contrib installed ?

Offline ello

  • ****
  • 153
  • +0/-0
Re: mail in uscita a utenti sconosciuti
« Reply #2 on: January 02, 2023, 10:38:27 AM »
buon anno
grazie per la risposta, i contrib da me installati Email-Management, Mailman, qmHandle

tail -f  /var/log/qmail/current | tai64nlocal
Quote
2023-01-02 10:45:22.954963500 delivery 56: failure: 108.177.119.26_failed_after_I_sent_the_message./Remote_host_said:_550-5.7.26_Unauthenticated_email_from_studiogelda.it_is_not_accepted_due_to/550-5.7.26_domain's_DMARC_policy._Please_contact_the_administrator_of/550-5.7.26_studiogelda.it_domain_if_this_was_a_legitimate_mail._Please_visit/550-5.7.26__https://support.google.com/mail/answer/2451690_to_learn_about_the/550_5.7.26_DMARC_initiative._f26-20020a05640214da00b0048999d127f8si9224318edx.526_-_gsmtp/STARTTLS_proto=TLSv1.2;_cipher=ECDHE-ECDSA-AES128-GCM-SHA256;_subject=/CN=mx.google.com;_issuer=/C=US/O=Google_Trust_Services_LLC/CN=GTS_CA_1C3;/
2023-01-02 10:45:22.955368500 status: local 0/20 remote 0/20
2023-01-02 10:45:23.009269500 bounce msg 1082661849 qp 531
2023-01-02 10:45:23.009320500 end msg 1082661849
2023-01-02 10:45:23.009599500 new msg 1075550461
2023-01-02 10:45:23.009618500 info msg 1075550461: bytes 2543 from <> qp 531 uid 406
2023-01-02 10:45:23.042764500 starting delivery 57: msg 1075550461 to local tufaro@sme.studiogelda.it
2023-01-02 10:45:23.042766500 status: local 1/20 remote 0/20
2023-01-02 10:45:23.076372500 delivery 57: success: did_1+0+1/
2023-01-02 10:45:23.076626500 status: local 0/20 remote 0/20
2023-01-02 10:45:23.076628500 end msg 1075550461

qmHandle -l
Code: [Select]
1074696119 (5, 5/1074696119)
  Return-path: sonia@studiogelda.it
  From: sonia@studiogelda.it
  To: jmanortiz@gmail.com, chas.andrew@yahoo.com
  Subject: 1/2/2023 Message received from TianaBabyGirl458
  Date: Mon, 2 Jan 2023 01:06:29 -0800
  Size: 6642 bytes

1082661878 (13, 13/1082661878)
  Return-path: sonia@studiogelda.it
  From: sonia@studiogelda.it
  To: itmicronet@hotmail.com, barrycarter248@yahoo.co.uk
  Subject: New member ShanaeStudley292 1/2/2023
  Date: Mon, 2 Jan 2023 01:06:00 -0800
  Size: 6612 bytes

1074874179 (22, 22/1074874179)
  Return-path: tania@studiogelda.it
  From: tania@studiogelda.it
  To: tony_gale2003@yahoo.com, jamesbostwick1965@gmail.com
  Subject: 1/2/2023 Message for you from RachelBeany872
  Date: Mon, 2 Jan 2023 01:07:40 -0800
  Size: 6580 bytes

1075186061 (1, 1/1075186061)
  Return-path: tania@studiogelda.it
  From: tania@studiogelda.it
  To: armanhoseini766@gmail.com, mark.pickup@yahoo.co.uk
  Subject: Message received from MollyRage578 1/2/2023
  Date: Mon, 2 Jan 2023 01:07:31 -0800
  Size: 6621 bytes

1082661868 (3, 3/1082661868)
  Return-path: tania@studiogelda.it
  From: tania@studiogelda.it
  To: archies011@yahoo.com, damordavis66@gmail.com
  Subject: 1/2/2023 Dating Request RoxieLuvs585
  Date: Mon, 2 Jan 2023 00:58:38 -0800
  Size: 6632 bytes

1074874180 (0, 0/1074874180)
  Return-path: tania@studiogelda.it
  From: tania@studiogelda.it
  To: redslady1@yahoo.com, nutbutter365@gmail.com
  Subject: New message from LindaNaughty802 1/2/2023
  Date: Mon, 2 Jan 2023 01:10:21 -0800
  Size: 6499 bytes

1082661869 (4, 4/1082661869)
  Return-path: sonia@studiogelda.it
  From: sonia@studiogelda.it
  To: ivanmanning11@gmail.com, gibbset62.jg@gmail.com
  Subject: 1/2/2023 Message for you from TomikaBaby282
  Date: Mon, 2 Jan 2023 01:00:15 -0800
  Size: 6639 bytes

1082661882 (17, 17/1082661882)
  Return-path: sonia@studiogelda.it
  From: sonia@studiogelda.it
  To: artie4419@gmail.com, knot3love689@yahoo.com
  Subject: New member RebbecaInflatableDoll.843 1/2/2023
  Date: Mon, 2 Jan 2023 01:06:11 -0800
  Size: 6608 bytes

1074867255 (21, 21/1074867255)
  Return-path: sonia@studiogelda.it
  From: sonia@studiogelda.it
  To: willibrownl@outlook.com, italianmike63@yahoo.com
  Subject: You've got 1 friend request from DeidreGoldfish558 1/2/2023
  Date: Mon, 2 Jan 2023 01:06:47 -0800
  Size: 6554 bytes

1074867266 (9, 9/1074867266)
  Return-path: tania@studiogelda.it
  From: tania@studiogelda.it
  To: jonathanr5002@gmail.com, jeremypugh36@yahoo.com
  Subject: Message received from CorieAnimal384 1/2/2023
  Date: Mon, 2 Jan 2023 01:06:59 -0800
  Size: 6614 bytes

1074874174 (17, 17/1074874174)
  Return-path: tania@studiogelda.it
  From: tania@studiogelda.it
  To: getkap21@gmail.com, george729@yahoo.com
  Subject: 1/2/2023 Dating Request RachelCutiePants872
  Date: Mon, 2 Jan 2023 01:07:35 -0800
  Size: 6642 bytes

Total messages: 11
Messages with local recipients: 0
Messages with remote recipients: 11
Messages with bounces: 1
Messages in preprocess: 0
Gmail non accetta più le nostre e-mail ho letto che c'è la possibilità di inserire nell' header della posta la direttiva list-unsubscribe  ma sinceramente non so dove agire, per il momento per non aggravare la situazione ho disabilitato gli account che hanno provocato questa situazione. Spamassassin contrassegna come spam livello 4, rifiuto a livello 10, fortunatamente ancora non sono inscritto a nessuna blacklist, spf, dkim, e dmarc configurati e funzionanti.
quest è l'ultimo report ricevuto relativo a dmarc
Quote
<?xml version="1.0" encoding="UTF-8"?>

-<feedback>

<version>1.0</version>


-<report_metadata>

<org_name>comcast.net</org_name>

<email>dmarc-admin@alerts.comcast.net</email>

<report_id>v2-1672631168-studiogelda.it</report_id>


-<date_range>

<begin>1672531200</begin>

<end>1672617600</end>

</date_range>

</report_metadata>


-<policy_published>

<domain>studiogelda.it</domain>

<adkim>s</adkim>

<aspf>r</aspf>

<p>reject</p>

<sp>reject</sp>

<pct>100</pct>

<fo>0</fo>

</policy_published>


-<record>


-<row>

<source_ip>151.84.109.14</source_ip>

<count>9</count>


-<policy_evaluated>

<disposition>none</disposition>

<dkim>pass</dkim>

<spf>pass</spf>

</policy_evaluated>

</row>


-<identifiers>

<header_from>studiogelda.it</header_from>

<envelope_from>studiogelda.it</envelope_from>

</identifiers>


-<auth_results>


-<dkim>

<domain>studiogelda.it</domain>

<result>pass</result>

<selector>default</selector>

</dkim>


-<spf>

<domain>studiogelda.it</domain>

<scope>mfrom</scope>

<result>pass</result>

</spf>

</auth_results>

</record>

</feedback>
« Last Edit: January 02, 2023, 10:48:40 AM by ello »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: mail in uscita a utenti sconosciuti
« Reply #3 on: January 02, 2023, 11:50:55 AM »
https://wiki.koozali.org/Email#Outbound_DKIM_signing_.2F_SPF_.2F_DMARC_policy

https://mxtoolbox.com/diagnostic.aspx

Spamassassin ha effetto solo sulla posta in entrata, non in uscita.  Se il server continua a rigenerare la posta, dovresti considerare di essere stato violato e agire di conseguenza: verrai presto inserito nella lista nera.

O qualcuno ha le password degli utenti - cambiale immediatamente - o qualcuno ha accesso al tuo server.

Metti offline il server e controlla i tuoi log.  Controllare sqpsmtpd per i nomi utente per la posta in uscita.

Verificare la presenza di software aggiuntivo che potrebbe essere stato installato. Fai un bug report completo dal server-manager in basso a sinistra. Incollalo dove possiamo vederlo.

-----------

Spamassassin only affects inbound mail, not outbound.
If the server keeps regenerating mail you should consider you have been hacked and act accordingly - you will get blacklisted soon.
Either someone has the passwords for the users - change them immediately - or someone has access to your server.
Take the server offline and go through your logs.
Check sqpsmtpd for the user names for outgoing mail.
Check for additional software that might have been installed.
Do a complete bug report from the server-manager lower left. Paste it where we can see it.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ello

  • ****
  • 153
  • +0/-0
Re: mail in uscita a utenti sconosciuti
« Reply #4 on: January 02, 2023, 02:20:51 PM »
grazie per l'assistenza

bug report
Quote
==================
Base configuration
==================

SME server version:      10.1
SME server mode:         servergateway
SME server previous mode: servergateway
Running Kernel:          3.10.0-1160.81.1.el7.x86_64



===========================
New RPMs not in base system
===========================
       
Plugin abilitati:fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: it1.mirror.vhosting-it.com
 * smeaddons: www.mirrorservice.org
 * smeos: www.mirrorservice.org
 * smeupdates: www.mirrorservice.org
 * updates: it1.mirror.vhosting-it.com
Pacchetti extra
GeoIP.x86_64                      1.6.12-9.el7.sme                  @smecontribs
GeoIP-GeoLite-data.noarch         2018.06-7.el7.sme                 @smecontribs
GeoIP-GeoLite-data-extra.noarch   2018.06-7.el7.sme                 @smecontribs
fail2ban-sendmail.noarch          0.11.2-3.el7                      @smecontribs
fail2ban-server.noarch            0.11.2-3.el7                      @smecontribs
libspf2.x86_64                    1.2.11-1.20210922git4915c308.el7  @epel       
libspf2-progs.x86_64              1.2.11-1.20210922git4915c308.el7  @epel       
perl-Data-Validate-IP.noarch      0.27-13.el7                       @smecontribs
perl-Unicode-IMAPUtf7.noarch      2.01-1.of.el7                     @smecontribs
smeserver-certificate.noarch      0.0.4-13.el7.sme                  @smecontribs
smeserver-dhcpmanager.noarch      2.0.4-12.el7.sme                  @smecontribs
smeserver-email-management.noarch 1.3-5.el7.sme                     @smecontribs
smeserver-fail2ban.noarch         9:0.1.18-30.el7.sme               @smecontribs
smeserver-mailsorting.noarch      1.4-14.el7.sme                    @smecontribs
smeserver-qmHandle.noarch         1.4-24.el7.sme                    @smecontribs
smeserver-vacation.noarch         1.1-34.el7.sme                    @smecontribs
 



===========================
Custom and modified templates
===========================
/etc/e-smith/templates-custom/etc/dhcpd.conf/20tftp: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/dhcpd.conf/16tftp: MANUALLY_ADDED, ADDITION




===========================
Modified events
===========================




=======================
Additional repositories
=======================

base: enabled
centosplus: disabled
epel: disabled
extras: disabled
fasttrack: disabled
libreswan: enabled
remi-safe: enabled
smeaddons: enabled
smecontribs: disabled
smedev: disabled
smeextras: enabled
smeos: enabled
smetest: disabled
smeupdates: enabled
smeupdates-testing: disabled

sqpsmtpd
Quote
@4000000063b2d96439b6ae5c 3699 550 Cannot establish SSL session
@4000000063b2d96439b7cb84 3699 click, disconnecting
@4000000063b2d9652cea9e7c 1102 cleaning up after 3699
@4000000063b2d967045630fc 3704 dispatching EHLO [127.0.0.1]
@4000000063b2d9670463311c 3704 (ehlo) helo: pass
@4000000063b2d967046e6c1c 3704 250-studiogelda.it Hi fixed-189-203-144-192.totalplay.net [189.203.144.192]
@4000000063b2d967046ec9dc 3704 250-PIPELINING
@4000000063b2d967046f79a4 3704 250-8BITMIME
@4000000063b2d967046fbff4 3704 250-SIZE 15000000
@4000000063b2d96704708b14 3704 250 AUTH PLAIN LOGIN
@4000000063b2d96c0d4be47c 3704 dispatching AUTH PLAIN
@4000000063b2d96c0d517a2c 3704 334
@4000000063b2d97008cabd74 Use of uninitialized value $ret in unpack at /usr/share/qpsmtpd/plugins/auth/auth_cvm_unix_local line 124.
@4000000063b2d97008cd596c 3704 (auth-plain) auth::auth_cvm_unix_local: skip: no response from cvm for sonia@studiogelda.it
@4000000063b2d97008d18ba4 3704 535 PLAIN authentication failed for sonia@studiogelda.it
@4000000063b2d9720b0e7f6c 3704 dispatching AUTH LOGIN
@4000000063b2d9720b13693c 3704 334 VXNlcm5hbWU6
@4000000063b2d97426f5ee2c 3704 334 UGFzc3dvcmQ6
@4000000063b2d97719801d44 Use of uninitialized value $ret in unpack at /usr/share/qpsmtpd/plugins/auth/auth_cvm_unix_local line 124.
@4000000063b2d9771989ecfc 3704 (auth-login) auth::auth_cvm_unix_local: skip: no response from cvm for sonia@studiogelda.it
@4000000063b2d9771989fc9c 3704 535 LOGIN authentication failed for sonia@studiogelda.it
@4000000063b2d97a158fd42c 3704 dispatching QUIT
@4000000063b2d97a159477ac 3704 221 studiogelda.it closing connection. Have a wonderful day.
@4000000063b2d97a159828fc 3704 click, disconnecting
@4000000063b2d97a2e34e544 1102 cleaning up after 3704
@4000000063b2d9851d129aa4 3700 (connect) tls: fail, unable to establish SSL
@4000000063b2d9851d164fdc 3700 (deny) logging::logterse: ` 185.172.215.34       Unknown                         tls     903     Cannot establish SSL session    msg denied before queued
@4000000063b2d9851d188644 3700 550 Cannot establish SSL session
@4000000063b2d9851d193ddc 3700 click, disconnecting
@4000000063b2d9852ee30f34 1102 cleaning up after 3700
/quote]