451 4.3.0 Error: Queue File Write Error

pietroaretino

Active Member
Nov 15, 2019
33
5
28
39
I am extremely perplexed by these error notifications I am receiving from my Mailgateway.

This email address (supplier@mail.domain.tld), which does not exist, is involved somehow and I am confused where it is coming from, and why I keep finding it in all domains outgoing and incoming email addresses.

The error emails I am receiving everyday are as follows:
Code:
Mail Delivery System posted 21/03/22 3:06 AM Proxmox SMTP server: errors from mail.domain.tld[192.168.1.1]
Transcript of session follows.

 In:  MAIL FROM: SIZE=36772
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<supplier>
     ORCPT=rfc822;supplier@mail.domain.tld
 Out: 250 2.1.5 Ok
 In:  BDAT 27384 LAST
 Out: 250 2.5.0 OK (12053C6237DD3AEAF1C)
 In:  MAIL FROM: SIZE=28313
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<supplier>
     ORCPT=rfc822;supplier@mail.domain.tld
 Out: 250 2.1.5 Ok
 In:  BDAT 18518 LAST
 Out: 250 2.5.0 OK (12053C6237DD3D22443)
 In:  MAIL FROM: SIZE=28314
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<supplier>
     ORCPT=rfc822;supplier@mail.domain.tld
 Out: 250 2.1.5 Ok
 In:  BDAT 18518 LAST
 Out: 250 2.5.0 OK (12053C6237DD3F8BC7F)
 In:  MAIL FROM: SIZE=36758
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<supplier>
     ORCPT=rfc822;supplier@mail.domain.tld
 Out: 250 2.1.5 Ok
 In:  BDAT 27384 LAST
 Out: 250 2.5.0 OK (12053C6237DD41CF5B4)
 In:  MAIL FROM: SIZE=28362
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<supplier>
     ORCPT=rfc822;supplier@mail.domain.tld
 Out: 250 2.1.5 Ok
 In:  BDAT 18518 LAST
 Out: 250 2.5.0 OK (12053C6237DD440DE6D)
 In:  MAIL FROM: SIZE=28361
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<supplier>
     ORCPT=rfc822;supplier@mail.domain.tld
 Out: 250 2.1.5 Ok
 In:  BDAT 18518 LAST
 Out: 250 2.5.0 OK (12053C6237DD464BE2A)
 In:  MAIL FROM: SIZE=36758
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<supplier>
     ORCPT=rfc822;supplier@mail.domain.tld
 Out: 250 2.1.5 Ok
 In:  BDAT 27384 LAST
 Out: 451 4.3.0 Error: queue file write error
 In:  QUIT
 Out: 221 2.0.0 Bye


For other details, see the local mail logfile</supplier></supplier></supplier></supplier></supplier></supplier></supplier>

When I look at my tracking log and filter by "supplier@mail.domain.tld" I see a ton of incoming and outgoing messages that look like this:
Code:
Mar 23 09:54:51 mailgate postfix/smtpd[1509659]: connect from srvex2013.domain.tld[192.168.180]
Mar 23 09:54:51 mailgate postfix/smtpd[1509659]: Anonymous TLS connection established from srvex2013.domain.tld[192.168.180]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 23 09:54:51 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:54:54 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE05BE921C); from=<> to=<no-reply@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:54:54 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:54:55 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE05E21395); from=<booking@domain.tld> to=<info@hoteldelaville.org> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:54:55 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:54:57 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE05FB6CD1); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:54:58 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:00 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE0624640E); from=<> to=<no-reply@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:00 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:02 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE0648F97F); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:02 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:04 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE066B967A); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:04 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:07 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE068E4936); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:07 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:09 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE06B905D6); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:09 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:11 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE06DBFF86); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:11 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:12 mailgate pmg-smtp-filter[1516420]: 12056A623AE07005811: new mail message-id=<3dec71cf590a43efa09687ffb426fa6b@srvex2013.domain.tld>#012
Mar 23 09:55:13 mailgate pmg-smtp-filter[1516420]: 12056A623AE07005811: SA score=0/5 time=1.725 bayes=0.00 autolearn=ham autolearn_force=no hits=ALL_TRUSTED(-1),AWL(0.120),BAYES_00(-1.9),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
Mar 23 09:55:13 mailgate postfix/smtpd[1516321]: connect from localhost.localdomain[127.0.0.1]
Mar 23 09:55:13 mailgate postfix/smtpd[1516321]: D0380E1190: client=localhost.localdomain[127.0.0.1], orig_client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:13 mailgate postfix/cleanup[1516114]: D0380E1190: message-id=<3dec71cf590a43efa09687ffb426fa6b@srvex2013.domain.tld>
Mar 23 09:55:13 mailgate postfix/qmgr[1313648]: D0380E1190: from=<s.battazza@domain.tld>, size=32949, nrcpt=1 (queue active)
Mar 23 09:55:13 mailgate pmg-smtp-filter[1516420]: 12056A623AE07005811: accept mail to <pauline.lehmann@hiltonstrasbourg.com> (D0380E1190) (rule: default-accept)
Mar 23 09:55:13 mailgate postfix/smtpd[1516321]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 23 09:55:13 mailgate pmg-smtp-filter[1516420]: 12056A623AE07005811: processing time: 1.88 seconds (1.725, 0.059, 0)
Mar 23 09:55:13 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE07005811); from=<s.battazza@domain.tld> to=<pauline.lehmann@hiltonstrasbourg.com> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:13 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:14 mailgate postfix/smtp[1515690]: Trusted TLS connection established to hiltonstrasbourg-com.mail.protection.outlook.com[104.47.8.36]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 23 09:55:14 mailgate postfix/smtp[1515690]: D0380E1190: to=<pauline.lehmann@hiltonstrasbourg.com>, relay=hiltonstrasbourg-com.mail.protection.outlook.com[104.47.8.36]:25, delay=0.9, delays=0.05/0/0.46/0.39, dsn=2.6.0, status=sent (250 2.6.0 <3dec71cf590a43efa09687ffb426fa6b@srvex2013.domain.tld> [InternalId=102349070685070, Hostname=AM7PR09MB4101.eurprd09.prod.outlook.com] 43355 bytes in 0.086, 490.513 KB/sec Queued mail for delivery)
Mar 23 09:55:14 mailgate postfix/qmgr[1313648]: D0380E1190: removed
Mar 23 09:55:17 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE071E7D41); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:17 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:20 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE075D0B11); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:20 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:22 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE0780DFAC); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:22 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:24 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE07A257ED); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:24 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:26 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE07C72088); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:26 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:28 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE07E8EC30); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:28 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:31 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE080D51F0); from=<> to=<supplier@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:31 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:33 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE08344EBA); from=<> to=<no-reply@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:33 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:35 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE08576A35); from=<> to=<no-reply@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:35 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.180]
Mar 23 09:55:37 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE087A4AEC); from=<> to=<no-reply@mail.domain.tld> proto=ESMTP helo=<mail.domain.tld>
Mar 23 09:55:37 mailgate postfix/smtpd[1509659]: disconnect from srvex2013.domain.tld[192.168.180] ehlo=2 starttls=1 mail=20 rcpt=20 bdat=20 quit=1 commands=64

Here is what I pulled from my Syslog around the same time as above:

Code:
Mar 23 09:54:54 mailgate postfix/qmgr[1313648]: 0A3E5E1190: from=<>, size=21277, nrcpt=1 (queue active)
Mar 23 09:54:54 mailgate pmg-smtp-filter[1516312]: 12056A623AE05BE921C: accept mail to <no-reply@mail.domain.tld> (0A3E5E1190) (rule: default-accept)
Mar 23 09:54:54 mailgate postfix/smtpd[1516321]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 23 09:54:54 mailgate pmg-smtp-filter[1516312]: 12056A623AE05BE921C: processing time: 2.136 seconds (2.013, 0.039, 0)
Mar 23 09:54:54 mailgate postfix/smtpd[1509659]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12056A623AE05BE921C); from=<> to=<no-reply@mail.domain.tld> proto=ESMTP helo=<mai>
Mar 23 09:54:54 mailgate postfix/smtpd[1509659]: NOQUEUE: client=srvex2013.domain.tld[192.168.1.80]
Mar 23 09:54:54 mailgate pmg-smtp-filter[1516324]: 2022/03/23-09:54:54 CONNECT TCP Peer: "[127.0.0.1]:38506" Local: "[127.0.0.1]:10023"
Mar 23 09:54:54 mailgate pmg-smtp-filter[1516324]: 12056A623AE05E21395: new mail message-id=<fbb379cd413d481f93eeff021cbb4893@srvex2013.domain.tld>#012
Mar 23 09:54:54 mailgate postfix/smtp[1515941]: Trusted TLS connection established to mail.domain.tld[192.168.1.80]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 b>
Mar 23 09:54:55 mailgate postfix/smtp[1515941]: 0A3E5E1190: to=<no-reply@mail.domain.tld>, relay=mail.domain.tld[192.168.1.80]:25, delay=1.3, delays=0.05/0/0.2/1.1, dsn=>
Mar 23 09:54:55 mailgate postfix/qmgr[1313648]: 0A3E5E1190: removed
Mar 23 09:54:55 mailgate postfix/postscreen[1515396]: PASS NEW [209.85.221.47]:44819
Mar 23 09:54:55 mailgate postfix/smtpd[1514779]: connect from mail-wr1-f47.google.com[209.85.221.47]
Mar 23 09:54:55 mailgate pmg-smtp-filter[1516324]: 12056A623AE05E21395: SA score=0/5 time=1.446 bayes=0.00 autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),AWL(-0.059),BAYES_0>
Mar 23 09:54:55 mailgate postfix/smtpd[1516321]: connect from localhost.localdomain[127.0.0.1]
Mar 23 09:54:55 mailgate postfix/smtpd[1516321]: A8536E1190: client=localhost.localdomain[127.0.0.1], orig_client=srvex2013.domain.tld[192.168.1.80]
Mar 23 09:54:55 mailgate postfix/smtpd[1514779]: Anonymous TLS connection established from mail-wr1-f47.google.com[209.85.221.47]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/>
Mar 23 09:54:55 mailgate postfix/cleanup[1516114]: A8536E1190: message-id=<fbb379cd413d481f93eeff021cbb4893@srvex2013.domain.tld>

What the hell am I looking at?

I've seen reference to a similar issue here:
https://forum.proxmox.com/threads/451-4-3-0-error-queue-file-write-error.76423/

But I am not using any plugins, is this an issue with DNSBLs or Bayes?

The only thing I've adjusted as of late is upping my heuristic score from 3 to 5 and swapping out some DNSBLs.

mailgate.JPG
mailgate2.JPG

This still leaves me perplex by this "supplier@mail.domain.tld".

First off, again I don't have a mailbox or account setup with that name.
Secondly, even if I did, my mailboxes are setup as "name@domain.tld" not "name@mail.domain.tld"

My logs are FULL of these instances, constantly. I have no idea what is going on. Has anyone else encountered this?

Thanks in advance.
 
So I looked into the nature of the error more and run into this Postfix documentation:

https://www.postfix.org/SMTPD_PROXY_README.html

Seems the error and the mysterious "supplier@mail.domain.tld" had to do with Before Queue Filtering. I recalled that I had also enabled that setting as of recently.

I went ahead and disabled that settings, and within several minutes all those errors and logs began disappearing and seemed to return back to normal.

If anyone else runs into the same issue, try disabling your "Before Queue Filter" i.e. switch it to "NO", you can find this setting in Configuration->Mail Proxy->Options
 
I take that back, I still have no idea wtf is happening.

My Mailgate is over 100% CPU utilization and consuming all its RAM as well.

My exchange server is dumping all this to my mailgateway and I dont know why or what or how.

Code:
Mar 23 15:24:50 mailgate postfix/smtpd[24823]: connect from exchange.domain.tld[192.168.1.1]
Mar 23 15:24:50 mailgate postfix/smtpd[24823]: Anonymous TLS connection established from exchange.domain.tld[192.168.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 23 15:24:50 mailgate postfix/smtpd[24823]: 7FD74E1178: client=exchange.domain.tld[192.168.1.1]
Mar 23 15:24:50 mailgate postfix/cleanup[24769]: 7FD74E1178: message-id=<fc839b8e-a1d1-4dae-876a-a42e465a61a4@exchange.domain.tld>
Mar 23 15:24:50 mailgate postfix/qmgr[19534]: 7FD74E1178: from=<>, size=17062, nrcpt=1 (queue active)
Mar 23 15:24:50 mailgate postfix/smtpd[24823]: 935E6E118B: client=exchange.domain.tld[192.168.1.1]
Mar 23 15:24:50 mailgate postfix/smtpd[24823]: disconnect from exchange.domain.tld[192.168.1.1] ehlo=2 starttls=1 mail=2 rcpt=2 bdat=2 quit=1 commands=10
Mar 23 15:24:50 mailgate pmg-smtp-filter[24998]: 12056A623B2DB296045: new mail message-id=<fc839b8e-a1d1-4dae-876a-a42e465a61a4@exchange.domain.tld>#012
Mar 23 15:25:00 mailgate pmg-smtp-filter[24998]: 12056A623B2DB296045: SA score=0/5 time=9.360 bayes=0.00 autolearn=unavailable autolearn_force=no hits=ALL_TRUSTED(-1),AWL(0.703),BAYES_00(-1.9),HTML_FONT_LOW_CONTRAST(0.001),HTML_FONT_SIZE_LARGE(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
Mar 23 15:25:00 mailgate postfix/smtpd[24351]: connect from localhost.localdomain[127.0.0.1]
Mar 23 15:25:00 mailgate postfix/smtpd[24351]: 555B0E11A2: client=localhost.localdomain[127.0.0.1], orig_client=exchange.domain.tld[192.168.1.1]
Mar 23 15:25:00 mailgate postfix/cleanup[24835]: 555B0E11A2: message-id=<fc839b8e-a1d1-4dae-876a-a42e465a61a4@exchange.domain.tld>
Mar 23 15:25:00 mailgate postfix/qmgr[19534]: 555B0E11A2: from=<>, size=16340, nrcpt=1 (queue active)
Mar 23 15:25:00 mailgate postfix/smtpd[24351]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 23 15:25:00 mailgate pmg-smtp-filter[24998]: 12056A623B2DB296045: accept mail to <supplier@mail.domain.tld> (555B0E11A2) (rule: default-accept)
Mar 23 15:25:00 mailgate postfix/smtp[24353]: Trusted TLS connection established to mail.domain.tld[192.168.1.1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 23 15:25:00 mailgate pmg-smtp-filter[24998]: 12056A623B2DB296045: processing time: 9.833 seconds (9.36, 0.074, 0)
Mar 23 15:25:00 mailgate postfix/lmtp[22679]: 7FD74E1178: to=<supplier@mail.domain.tld>, relay=127.0.0.1[127.0.0.1]:10023, delay=10, delays=0.08/0/0.01/9.9, dsn=2.5.0, status=sent (250 2.5.0 OK (12056A623B2DB296045))
Mar 23 15:25:00 mailgate postfix/qmgr[19534]: 7FD74E1178: removed
Mar 23 15:25:00 mailgate postfix/smtp[24353]: 555B0E11A2: to=<supplier@mail.domain.tld>, relay=mail.domain.tld[192.168.1.1]:25, delay=0.29, delays=0.1/0/0.06/0.13, dsn=2.6.0, status=sent (250 2.6.0 <fc839b8e-a1d1-4dae-876a-a42e465a61a4@exchange.domain.tld> [InternalId=74483322848915, Hostname=exchange.domain.tld] Queued mail for delivery)
Mar 23 15:25:00 mailgate postfix/qmgr[19534]: 555B0E11A2: removed

I had to tick "Include Empty Senders" in order to see this.

Has anyone experienced this before?
 
Run top or htop and show what is causing the high CPU and memory usage.
38193 root 20 0 254880 123736 10584 R 27.7 1.5 0:20.21 pmg-smtp-filter
38141 root 20 0 249184 115576 9440 R 26.1 1.4 0:23.52 pmg-smtp-filter
38200 root 20 0 249068 114260 9420 R 23.1 1.4 0:19.05 pmg-smtp-filter
38408 root 20 0 248780 113812 9420 R 22.8 1.4 0:06.62 pmg-smtp-filter
38181 root 20 0 249168 114436 9420 R 21.8 1.4 0:19.88 pmg-smtp-filter
38155 root 20 0 249048 114260 9420 R 20.5 1.4 0:22.58 pmg-smtp-filter
38444 root 20 0 251592 119416 10572 R 18.8 1.5 0:06.26 pmg-smtp-filter
38396 root 20 0 252088 120176 10572 R 18.2 1.5 0:06.71 pmg-smtp-filter
38449 root 20 0 248768 113776 9420 S 3.6 1.4 0:05.93 pmg-smtp-filter
38118 root 20 0 249184 114412 9420 S 2.6 1.4 0:25.16 pmg-smtp-filter
672 clamav 20 0 1682568 211032 6660 S 2.3 2.6 4:52.25 clamd

Its my PMG-SMTP-FILTER

But i'm looking at my tracking log and my exchange is dumping empty sender mail to my proxmox mail gateway:

wtf.JPG
Each one of those mails looks like this:
Code:
Mar 23 16:11:33 mailgate postfix/smtpd[33266]: connect from mail.domain.tld[192.168.1.80]
Mar 23 16:11:33 mailgate postfix/smtpd[33266]: Anonymous TLS connection established from mail.domain.tld[192.168.1.80]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 23 16:11:33 mailgate postfix/smtpd[33266]: 63F89E118D: client=mail.domain.tld[192.168.1.80]
Mar 23 16:11:33 mailgate postfix/cleanup[33219]: 63F89E118D: message-id=<ef38fb0a-1157-4217-adf6-db64cf6b5103@srvex2013.domain.tld>
Mar 23 16:11:33 mailgate postfix/qmgr[19534]: 63F89E118D: from=<>, size=18826, nrcpt=1 (queue active)
Mar 23 16:11:33 mailgate postfix/smtpd[33266]: disconnect from mail.domain.tld[192.168.1.80] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Mar 23 16:11:33 mailgate pmg-smtp-filter[33147]: 12072B623B38A570EC6: new mail message-id=<ef38fb0a-1157-4217-adf6-db64cf6b5103@srvex2013.domain.tld>#012
Mar 23 16:11:40 mailgate pmg-smtp-filter[33147]: 12072B623B38A570EC6: SA score=0/5 time=6.785 bayes=0.00 autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),AWL(-1.249),BAYES_00(-1.9),DATE_IN_PAST_96_XX(3.405),HTML_FONT_SIZE_LARGE(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
Mar 23 16:11:40 mailgate postfix/smtpd[32925]: connect from localhost.localdomain[127.0.0.1]
Mar 23 16:11:40 mailgate postfix/smtpd[32925]: 81EAEE11A2: client=localhost.localdomain[127.0.0.1], orig_client=mail.domain.tld[192.168.1.80]
Mar 23 16:11:40 mailgate postfix/cleanup[33042]: 81EAEE11A2: message-id=<ef38fb0a-1157-4217-adf6-db64cf6b5103@srvex2013.domain.tld>
Mar 23 16:11:40 mailgate postfix/qmgr[19534]: 81EAEE11A2: from=<>, size=18109, nrcpt=1 (queue active)
Mar 23 16:11:40 mailgate postfix/smtp[33136]: Trusted TLS connection established to mail.domain.tld[192.168.1.80]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 23 16:11:40 mailgate postfix/smtpd[32925]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 23 16:11:40 mailgate pmg-smtp-filter[33147]: 12072B623B38A570EC6: accept mail to <supplier@mail.domain.tld> (81EAEE11A2) (rule: default-accept)
Mar 23 16:11:40 mailgate pmg-smtp-filter[33147]: 12072B623B38A570EC6: processing time: 7.262 seconds (6.785, 0.14, 0)
Mar 23 16:11:40 mailgate postfix/lmtp[30868]: 63F89E118D: to=<supplier@mail.domain.tld>, relay=127.0.0.1[127.0.0.1]:10023, delay=7.3, delays=0.05/0/0.01/7.3, dsn=2.5.0, status=sent (250 2.5.0 OK (12072B623B38A570EC6))
Mar 23 16:11:40 mailgate postfix/qmgr[19534]: 63F89E118D: removed
Mar 23 16:11:41 mailgate postfix/smtp[33136]: 81EAEE11A2: to=<supplier@mail.domain.tld>, relay=mail.domain.tld[192.168.1.80]:25, delay=1.2, delays=0.08/0/0.06/1, dsn=2.6.0, status=sent (250 2.6.0 <ef38fb0a-1157-4217-adf6-db64cf6b5103@srvex2013.domain.tld> [InternalId=74487617815431, Hostname=srvex2013.domain.tld] Queued mail for delivery)
Mar 23 16:11:41 mailgate postfix/qmgr[19534]: 81EAEE11A2: removed

So my exchange is sending empty mail, with an empty sender (from) and sending it to a non existent mailbox/user (supplier@mail.domain.tld)

No idea.
 
Is there a lot of mail queuing?
Is all the empty send from 192.168.1.80?
 
Last edited:
Is there a lot of mail queuing?
Is all the empty send from 192.168.1.80?
Yeah 192.168.1.80 is the sanitized IPv4 of my Exchange 2013 Server.
Today all of a sudden the CPU has just spiked and remained there
wtf3.JPG

Don't have much in my queue though which is weird.
wtf2.JPG
I'm doing a reboot now and I'm trying to figure out Exchange 2013 logs... geez Microsoft logs are garbage, hard to find, then you gotta import them yourself into an excel to make them legible.

Regardless I'm unable to find anything in my exchange logs about a "supplier@mail.domain.tld" (sanitized domain name).

Our business in this scenario is "mail.domain.tld" but all our email addresses are obviously "user@domain.tld", and we have no account called "supplier".

Yet here is my exchange server sending infinite emails to "supplier@mail.domain.tld" and yet I cant find anything in my Exchange logs.

I'm baffled.
 
Issue is still persisting and I am still no longer closer to solving this puzzle than I was 9 hours ago.

Being bombarded by Exchange server from blank sender to my PVEMailgateway.

tired.JPG
Each entry above has the following log:
Code:
Mar 23 18:13:44 mailgate postfix/smtpd[11168]: connect from exchange.domain.tld[192.168.1.80]
Mar 23 18:13:44 mailgate postfix/smtpd[11168]: Anonymous TLS connection established from exchange.domain.tld[192.168.1.80]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 23 18:13:44 mailgate postfix/smtpd[11168]: 6FC25E1190: client=exchange.domain.tld[192.168.1.80]
Mar 23 18:13:44 mailgate postfix/smtpd[11168]: 7E307E119B: client=exchange.domain.tld[192.168.1.80]
Mar 23 18:13:44 mailgate postfix/cleanup[11313]: 7E307E119B: message-id=<ef38fb0a-1157-4217-adf6-db64cf6b5103@exchange.domain.tld>
Mar 23 18:13:44 mailgate postfix/qmgr[785]: 7E307E119B: from=<>, size=18831, nrcpt=1 (queue active)
Mar 23 18:13:44 mailgate postfix/smtpd[11168]: disconnect from exchange.domain.tld[192.168.1.80] ehlo=2 starttls=1 mail=2 rcpt=2 bdat=2 quit=1 commands=10
Mar 23 18:13:44 mailgate pmg-smtp-filter[11259]: 120646623B554887DDC: new mail message-id=<ef38fb0a-1157-4217-adf6-db64cf6b5103@exchange.domain.tld>#012
Mar 23 18:13:51 mailgate pmg-smtp-filter[11259]: 120646623B554887DDC: SA score=0/5 time=6.338 bayes=0.00 autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),AWL(-1.249),BAYES_00(-1.9),DATE_IN_PAST_96_XX(3.405),HTML_FONT_SIZE_LARGE(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
Mar 23 18:13:51 mailgate postfix/smtpd[11214]: connect from localhost.localdomain[127.0.0.1]
Mar 23 18:13:51 mailgate postfix/smtpd[11214]: 0C3F9E11A1: client=localhost.localdomain[127.0.0.1], orig_client=exchange.domain.tld[192.168.1.80]
Mar 23 18:13:51 mailgate postfix/cleanup[11313]: 0C3F9E11A1: message-id=<ef38fb0a-1157-4217-adf6-db64cf6b5103@exchange.domain.tld>
Mar 23 18:13:51 mailgate postfix/qmgr[785]: 0C3F9E11A1: from=<>, size=18109, nrcpt=1 (queue active)
Mar 23 18:13:51 mailgate postfix/smtp[11155]: Trusted TLS connection established to mail.domain.tld[192.168.1.80]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 23 18:13:51 mailgate postfix/smtpd[11214]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 23 18:13:51 mailgate pmg-smtp-filter[11259]: 120646623B554887DDC: accept mail to <supplier@mail.domain.tld> (0C3F9E11A1) (rule: default-accept)
Mar 23 18:13:51 mailgate pmg-smtp-filter[11259]: 120646623B554887DDC: processing time: 6.65 seconds (6.338, 0.096, 0)
Mar 23 18:13:51 mailgate postfix/lmtp[10344]: 7E307E119B: to=<supplier@mail.domain.tld>, relay=127.0.0.1[127.0.0.1]:10023, delay=6.7, delays=0.04/0/0/6.7, dsn=2.5.0, status=sent (250 2.5.0 OK (120646623B554887DDC))
Mar 23 18:13:51 mailgate postfix/qmgr[785]: 7E307E119B: removed
Mar 23 18:13:51 mailgate postfix/smtp[11155]: 0C3F9E11A1: to=<supplier@mail.domain.tld>, relay=mail.domain.tld[192.168.1.80]:25, delay=0.32, delays=0.15/0/0.06/0.11, dsn=2.6.0, status=sent (250 2.6.0 <ef38fb0a-1157-4217-adf6-db64cf6b5103@exchange.domain.tld> [InternalId=74496207750105, Hostname=exchange.domain.tld] Queued mail for delivery)
Mar 23 18:13:51 mailgate postfix/qmgr[785]: 0C3F9E11A1: removed

CPU is screaming, the following is from my ProxmoxVE head-node
tired2.JPG
This is from inside my Mailgateway VM admin panel
tired3.JPG
 
Yeah cant figure it out, my guess is that our domain fell victim to some sort of NDR spoofing attack?

I'm just baffled cause there's no "from" address, and its just coming straight from my Exchange server by the hordes. I tried setting up some filter rules for it by matching the field "to" to the supplier@mail.domain.tld account, but it doesnt seem to be marking them as spam.
 
Maybe the exchange had been compromised or some compromised client sending spam through the exchange.
Will the usage back to normal if you block or disable exchange outgoing connection to PMG?
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!