Open Relay ??? oder woher kommen die Log Einträge

TFrenz · Feb 19, 2021

Hallo, ich sehe im syslog irgendwelche komischen Mails.
Meine Domäne ist da aber nicht neinhaltet.
Woher kann das kommen?

Feb 19 17:15:42 mta postfix/qmgr[71149]: 9186021624: from=<>, size=5236, nrcpt=1 (queue active)
Feb 19 17:15:42 mta postfix/qmgr[71149]: 913F421522: from=<>, size=9344, nrcpt=1 (queue active)
Feb 19 17:15:42 mta postfix/qmgr[71149]: 300D8215A6: from=<>, size=6055, nrcpt=1 (queue active)
Feb 19 17:15:42 mta postfix/qmgr[71149]: B7BD221530: from=<>, size=4127, nrcpt=1 (queue active)
Feb 19 17:15:42 mta postfix/qmgr[71149]: B62272149C: from=<>, size=3939, nrcpt=1 (queue active)
Feb 19 17:15:42 mta postfix/smtp[91668]: connect to mx1.belwue.de[2001:7c0:0:76::2]:25: Network is unreachable
Feb 19 17:15:42 mta postfix/smtp[91667]: connect to mx1.belwue.de[2001:7c0:0:76::2]:25: Network is unreachable
Feb 19 17:15:42 mta postfix/smtp[91667]: connect to mx1.belwue.de[2001:7c0:0:76::1]:25: Network is unreachable
Feb 19 17:15:43 mta postfix/smtp[91667]: Anonymous TLS connection established to mx1.belwue.de[129.143.76.1]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Feb 19 17:15:43 mta postfix/smtp[91668]: Anonymous TLS connection established to mx1.belwue.de[129.143.76.2]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Feb 19 17:15:43 mta postfix/smtp[91668]: 300D8215A6: host mx1.belwue.de[129.143.76.2] said: 451 4.7.1 Ratelimit "from" exceeded (in reply to end of DATA command)
Feb 19 17:15:43 mta postfix/smtp[91668]: connect to mx1.belwue.de[2001:7c0:0:76::1]:25: Network is unreachable
Feb 19 17:15:43 mta postfix/smtp[91667]: 913F421522: host mx1.belwue.de[129.143.76.1] said: 451 4.7.1 Ratelimit "from" exceeded (in reply to end of DATA command)
Feb 19 17:15:43 mta postfix/smtp[91668]: Anonymous TLS connection established to mx1.belwue.de[129.143.76.1]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Feb 19 17:15:43 mta postfix/smtp[91667]: Anonymous TLS connection established to mx1.belwue.de[129.143.76.2]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Feb 19 17:15:43 mta postfix/smtp[91667]: 913F421522: to=<hftmobil@hft-stuttgart.de>, relay=mx1.belwue.de[129.143.76.2]:25, delay=8855, delays=8854/0.02/0.45/0.06, dsn=4.7.1, status=deferred (host mx1.belwue.de[129.143.76.2] said: 451 4.7.1 Ratelimit "from" exceeded (in reply to end of DATA command))
Feb 19 17:15:43 mta postfix/smtp[91668]: 300D8215A6: to=<hisinone@hft-stuttgart.de>, relay=mx1.belwue.de[129.143.76.1]:25, delay=8719, delays=8719/0.03/0.44/0.06, dsn=4.7.1, status=deferred (host mx1.belwue.de[129.143.76.1] said: 451 4.7.1 Ratelimit "from" exceeded (in reply to end of DATA command))
Feb 19 17:15:46 mta postfix/smtp[91669]: Trusted TLS connection established to one.mail-in.daimler.com[141.113.0.25]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 19 17:15:48 mta postfix/smtp[91669]: B7BD221530: host one.mail-in.daimler.com[141.113.0.25] said: 452 Too many recipients received from the sender (in reply to RCPT TO command)
Feb 19 17:15:48 mta postfix/smtp[91669]: Trusted TLS connection established to two.mail-in.daimler.com[141.113.8.25]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 19 17:15:48 mta postfix/smtp[91669]: B7BD221530: to=<thomas.schlicht@daimler.com>, relay=two.mail-in.daimler.com[141.113.8.25]:25, delay=8858, delays=8852/0.04/6/0.04, dsn=4.0.0, status=deferred (host two.mail-in.daimler.com[141.113.8.25] said: 452 Too many recipients received from the sender (in reply to RCPT TO command))
Feb 19 17:15:50 mta fetchmail[904]: 810 messages (810 seen) for philipp@distlers.de at proxmox0008 (545445569 octets).
Feb 19 17:15:51 mta pmg-smtp-filter[57420]: starting database maintainance
Feb 19 17:15:52 mta pmg-smtp-filter[57420]: end database maintainance (11 ms)
Feb 19 17:15:55 mta postfix/smtp[91666]: 9186021624: to=<windows@communication.microsoft.com>, relay=communication.microsoft.com[191.234.1.49]:25, delay=8789, delays=8776/0.04/12/0, dsn=4.4.2, status=deferred (lost connection with communication.microsoft.com[191.234.1.49] while receiving the initial server greeting)
Feb 19 17:16:12 mta postfix/smtp[91670]: connect to volkswagen-online.de[195.227.143.133]:25: Connection timed out
Feb 19 17:16:12 mta postfix/smtp[91670]: connect to volkswagen-online.de[2a01:4dc0:0:4f00::c3e3:8f85]:25: Network is unreachable
Feb 19 17:16:12 mta postfix/smtp[91670]: B62272149C: to=<volkswagen-we@volkswagen-online.de>, relay=none, delay=8896, delays=8866/0.04/30/0, dsn=4.4.1, status=deferred (connect to volkswagen-online.de[2a01:4dc0:0:4f00::c3e3:8f85]:25: Network is unreachable)
Feb 19 17:16:37 mta pmgdaemon[906]: successful auth for user 'root@pam'
Feb 19 17:17:01 mta CRON[91677]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Feb 19 17:17:31 mta pmgpolicy[878]: starting policy database maintainance (greylist, rbl)
Feb 19 17:17:31 mta pmgpolicy[878]: end policy database maintainance (9 ms, 0 ms)

Die mxtoolbox sagt, das ich kein open relay bin.

Stoiko Ivanov · Feb 22, 2021

das sieht aus als wären das NDR/bounce messages die das PMG versucht an die systeme zu schicken.
Das kann durchaus auch legitimer traffic sein, kann aber durchaus auch ein Zeichen einer backscatter welle sein, die über das PMG ging.

* was ist denn alles in der queue von PMG? (`mailq`)
* gab es irgenwann in letzter zeit mails von den jetzigen Empfangsaddressen (volkswagen-we@volkswagen-online.de, hftmobil@hft-stuttgart.de,...) and das PMG?

Ich hoffe das hilft

Search

Search

Open Relay ??? oder woher kommen die Log Einträge

TFrenz

Member

Stoiko Ivanov

Proxmox Staff Member