Prev: postfix smtp_loop() breaks SMTP
Next: noplainpassword causing postfix not to start (due to sasl error)
From: Charles Gregory on 24 Apr 2010 08:59

Hello!

Received about a dozen of the following 'delivery status reports' for
messages with the subject 'probe', all 'returned' to 'root(a)hwcn.org'
all within a 10 minute period. Some report 'user unknown', others
like this one say 'deliverable'.

What is this? Symptom of hack?

- Charles

On Sat, 24 Apr 2010, Mail Delivery System wrote:
> Date: Sat, 24 Apr 2010 08:27:30 -0400 (EDT)
> From: Mail Delivery System <MAILER-DAEMON(a)hwcn.org>
> To: root(a)hwcn.org
> Subject: Mail Delivery Status Report
>
> This is the Postfix program at host barton.hwcn.org.
>
> Enclosed is the mail delivery report that you requested.
>
> The Postfix program
>
> <mungedactualaddress(a)hwcn.org> (expanded from <mungedactualalias>):
> delivery via local: delivers
> to command: /usr/bin/procmail
>

From: Charles Gregory on 24 Apr 2010 09:07

Additional info:

All that shows in the logs is,

Apr 24 08:26:59 barton postfix/pickup[14103]: 849CFF4569: uid=0
from=<root>
Apr 24 08:26:59 barton postfix/cleanup[2161]: 849CFF4569:
message-id=<20100424122659.849CFF4569(a)barton.hwcn.org>
Apr 24 08:27:09 barton postfix/qmgr[6233]: 849CFF4569:
from=<root(a)hwcn.org>, size=278, nrcpt=1 (queue active)
Apr 24 08:27:09 barton postfix/local[2235]: 849CFF4569:
to=<mungedactualaddress(a)hwcn.org>, orig_to=<mungedactualalias>,
relay=local, delay=10, status=deliverable (delivery via
local: delivers to command: /usr/bin/procmail)
Apr 24 08:27:40 barton postfix/qmgr[6233]: 849CFF4569: removed

Postfix is not the SMTP gateway, but I can find no related
entries from mail avenger to link to these mails.

We have only one mailing list on the system, and the alias address
is not a member.

On Sat, 24 Apr 2010, Charles Gregory wrote:
> Received about a dozen of the following 'delivery status reports' for
> messages with the subject 'probe', all 'returned' to 'root(a)hwcn.org'
> all within a 10 minute period. Some report 'user unknown', others
> like this one say 'deliverable'.
>
> What is this? Symptom of hack?
>
> - Charles
>
> On Sat, 24 Apr 2010, Mail Delivery System wrote:
>> Date: Sat, 24 Apr 2010 08:27:30 -0400 (EDT)
>> From: Mail Delivery System <MAILER-DAEMON(a)hwcn.org>
>> To: root(a)hwcn.org
>> Subject: Mail Delivery Status Report
>>
>> This is the Postfix program at host barton.hwcn.org.
>>
>> Enclosed is the mail delivery report that you requested.
>>
>> The Postfix program
>>
>> <mungedactualaddress(a)hwcn.org> (expanded from <mungedactualalias>):
>> delivery via local: delivers
>> to command: /usr/bin/procmail
>>
>
>

From: Wietse Venema on 24 Apr 2010 09:39
Charles Gregory:
>
> Additional info:
>
> All that shows in the logs is,
>
> Apr 24 08:26:59 barton postfix/pickup[14103]: 849CFF4569: uid=0
> from=<root>
> Apr 24 08:26:59 barton postfix/cleanup[2161]: 849CFF4569:
> message-id=<20100424122659.849CFF4569(a)barton.hwcn.org>
> Apr 24 08:27:09 barton postfix/qmgr[6233]: 849CFF4569:
> from=<root(a)hwcn.org>, size=278, nrcpt=1 (queue active)
> Apr 24 08:27:09 barton postfix/local[2235]: 849CFF4569:
> to=<mungedactualaddress(a)hwcn.org>, orig_to=<mungedactualalias>,
> relay=local, delay=10, status=deliverable (delivery via
> local: delivers to command: /usr/bin/procmail)
> Apr 24 08:27:40 barton postfix/qmgr[6233]: 849CFF4569: removed

This the result of root executing "sendmail -bv mungedactualalias".

I notice some unusual delays. You have a 10s delay between the
cleanup daemon dropping mail into the incoming queue, and the qmgr
scheduler opening the file for delivery. Then, there is a 31
seconds delay between the local daemon finishing delivery, and the
qmgr scheduler removing the message from the queue.

Possible explanations:

- Your mail server runs on a very slow CPU or file system.

- Your mail server is virtualized (VM, jail, zone, etc.) and gets
only a fraction of the resources of a real machine.

- Your mail server is suffering from 100x red-shift due to the
rapid expansion of the universe.

Sending Postfix off into space to study time dilation effects, that
is an option that I haven't considered before.

Wietse

From: Stan Hoeppner on 24 Apr 2010 11:06
Wietse Venema put forth on 4/24/2010 8:39 AM:

> - Your mail server is suffering from 100x red-shift due to the
> rapid expansion of the universe.
>
> Sending Postfix off into space to study time dilation effects, that
> is an option that I haven't considered before.

I deleted a very similar comment from my last email regarding "The Doctor's"
time issues. My humor has been falling flat lately, so I err'd on the side
of omission. ;)

--
Stan

From: Wietse Venema on 24 Apr 2010 11:48
Stan Hoeppner:
> Wietse Venema put forth on 4/24/2010 8:39 AM:
>
> > - Your mail server is suffering from 100x red-shift due to the
> > rapid expansion of the universe.
> >
> > Sending Postfix off into space to study time dilation effects, that
> > is an option that I haven't considered before.
>
> I deleted a very similar comment from my last email regarding "The Doctor's"
> time issues. My humor has been falling flat lately, so I err'd on the side
> of omission. ;)

Humor is OK provided that the receiving end does not feel ridiculed.
That is of course subject to cultural differences, but there are
ways make the intent clear.

In this case, I made my joke the end of a list of more serious
explanations for the observed delays. That should make clear that
the intent was to help with a smile, not to ridicule.

Finally, I would appreciate it if you refrain from munging the
Subject: line when responding to this mailing list. Do not prepend
[pfx] tags, and do not post follow-ups without Re: prefix. I don't
care what you do outside this mailing list.

Wietse

 |  Next  |  Last
Pages: 1 2
Prev: postfix smtp_loop() breaks SMTP
Next: noplainpassword causing postfix not to start (due to sasl error)