Please help me with Plesk and Qmail
Posted by biggies, 04-21-2009, 11:30 AM Hi, I have server running Plesk 8.6 with Qmail. Recently some users complain that when they send email out they received undelivered email from Qmail (plesk) with lots of unknown address. Users are concerned about that mail server is sending out mail that they did not send it to. I have attached one of the typical example that user got. I have changed domain name and ip address for dummy address. I have no clue that the server automatically append those junk email address to the senders email or the client application did it without user's consent. Thanks in advance for your expert guidance. Regards, Attached Files error-bounced.txt (4.1 KB, 1689 views)
Posted by prashant1979, 04-21-2009, 11:38 AM It seems that some user has a weak password and is being used to authenticate so that spam can be sent using your serve SMTP. Check the log files to find which is the exploited user and modify the password to some strong password.
Posted by biggies, 04-21-2009, 11:50 AM The problem is the user actually send to the one authentic email address. I check the qmail log and it send to the intended recipient. But some how user received non delivery mail with those junk email address that she does not send and in that non delivery mail has her own copy of mail. I look for those email address in qmail log and does not find anything. Plesk Qmail does not have log for which address it send it to. Thanks for your reply.
Posted by expressadmin, 04-21-2009, 01:29 PM Is the address they are sending this message to a mailing list or mailing group of some sort? The attached sample doesn't really provide enough information to follow exactly what is happening. Is the message coming into your server and being delivered to a local account? Or is the message going out of your server to a remote account? How does the user send the message? Authenticated SMTP? Help me understand the direction and flow of the email and I might be able to give you some suggestions as to where to look.
Posted by biggies, 04-21-2009, 02:42 PM Thanks for your reply. The user is sending through authenticated smtp to the outside remote address. It is beyond my understanding of mail flow. It does not happen frequently. It happened from time to time. If you want to look at qmail log file from plesk, I can post it. Thanks again for your help. I am totally lost at this moment. Regards,
Posted by expressadmin, 04-21-2009, 02:46 PM To make sure I am clear... MAILER-DAEMON@server1.hosting.com refers to your server, correct?
Posted by biggies, 04-21-2009, 03:07 PM Yes correct. I changed the name for public posting.
Posted by expressadmin, 04-21-2009, 03:50 PM My next question, have you recently had any spammer activity on your server that caused you to have to alter or manipulate the qmail mail queue in anyway? (/var/qmail/queue) My working theory here is based off the fact that Envelope information and Message contents are stored in seperate directories inside the qmail queue. If you manually edited the qmail queue structure (trying to remove a spammers messages from your queue) and didn't use an application desigend for this task (qmHandler as an example) or used an application that didn't do its job properly, then the qmail queue still has "bad" envelope data in its queue that will need to be cleared out in order to get things working correctly again. It would seem that the bad envelope data is getting associated with valid messages in the queue, which is then triggering these NDR reports to be generated falsely. Let me know if that is the case... and if it is... you will most likely need to regenerate your qmail queue directory to make things right again.
Posted by biggies, 04-21-2009, 04:02 PM Oh yes, Thanks for your explanation. I recently experience spamming problem. Mail queue fill up with over 600 mail with a lot of CC address. I delete those mail from queue using plesk panel. In this case plesk panel mail queue does not do proper job. This would cause the problem. Thank you very much for your explanation. Kindest regards, Biggies
Posted by sahsanu, 04-21-2009, 04:42 PM Hello, Playing with qmail queue manually it is not a good idea . Right now, you should check/repair it. You can do that using for example queue-repair: pyropus.ca/software/queue-repair/ You should stop your qmail completely and follow queue-repair doc carefully. Good luck sahsanu