有几个客户端邮件发来的邮件都被过滤为垃圾邮件了,而且是放入垃圾箱的。

邮件服务器启用了WHITELISTDNSNAME=1,在数据库的whitelist_dnsname中添加了这几个域名,如【coship.com】,但从这几个域名来的邮件还是被放入垃圾箱了。

请问这种情况下,我要怎么配置才能把这几个域名来到邮件不做过滤呢?

下面是其中一封被过滤为垃圾邮件的服务器日志:

Nov 10 14:52:22 rojao postfix/smtpd[32464]: connect from unknown[210.75.11.146]
Nov 10 14:52:22 rojao postfix/smtpd[32464]: SSL_accept error from unknown[210.75.11.146]: 0
Nov 10 14:52:22 rojao postfix/smtpd[32464]: warning: TLS library problem: 32464:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1053:SSL alert number 46:
Nov 10 14:52:22 rojao postfix/smtpd[32464]: lost connection after STARTTLS from unknown[210.75.11.146]
Nov 10 14:52:22 rojao postfix/smtpd[32464]: disconnect from unknown[210.75.11.146]
Nov 10 14:52:22 rojao postfix/smtpd[32464]: connect from unknown[210.75.11.146]
Nov 10 14:52:22 rojao postfix/trivial-rewrite[32461]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov 10 06:52:22 rojao policyd: connection from: 127.0.0.1 port: 41079 slots: 0 of 2044 used
Nov 10 06:52:22 rojao policyd: rcpt=400, whitelist=update, host=210.75.11.146 (unknown), from=AA@coship.com, to=BB@rojao.cn, size=0
Nov 10 14:52:22 rojao postfix/smtpd[32464]: 4C2B69A59E7: client=unknown[210.75.11.146]
Nov 10 14:52:22 rojao postfix/trivial-rewrite[32461]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov 10 06:52:22 rojao policyd: rcpt=401, whitelist=update, host=210.75.11.146 (unknown), from=AA@coship.com, to=CC@rojao.cn, size=0
Nov 10 14:52:22 rojao postfix/cleanup[32467]: 4C2B69A59E7: message-id=<747385B835A34AB8B2A90D3C8FC7B87A@rd.coship.pri>
Nov 10 14:52:22 rojao postfix/qmgr[2891]: 4C2B69A59E7: from=<AA@coship.com>, size=51024, nrcpt=2 (queue active)
Nov 10 14:52:22 rojao postfix/smtpd[32464]: disconnect from unknown[210.75.11.146]
Nov 10 14:52:27 rojao postfix/smtpd[32473]: connect from rojao.cn[127.0.0.1]
Nov 10 14:52:27 rojao postfix/trivial-rewrite[32461]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov 10 14:52:27 rojao postfix/smtpd[32473]: 704589A59EA: client=rojao.cn[127.0.0.1]
Nov 10 14:52:27 rojao postfix/trivial-rewrite[32461]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov 10 14:52:27 rojao postfix/cleanup[32467]: 704589A59EA: message-id=<747385B835A34AB8B2A90D3C8FC7B87A@rd.coship.pri>
Nov 10 14:52:27 rojao postfix/qmgr[2891]: 704589A59EA: from=<AA@coship.com>, size=51697, nrcpt=2 (queue active)
Nov 10 14:52:27 rojao postfix/smtpd[32473]: disconnect from rojao.cn[127.0.0.1]
Nov 10 14:52:27 rojao postfix/trivial-rewrite[32461]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov 10 14:52:27 rojao postfix/trivial-rewrite[32461]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov 10 14:52:27 rojao amavis[30492]: (30492-17) Passed SPAMMY, LOCAL [210.75.11.146] [210.75.11.146] <AA@coship.com> -> <CC@rojao.cn>,<BB@rojao.cn>, Message-ID: <747385B835A34AB8B2A90D3C8FC7B87A@rd.coship.pri>, mail_id: GOMrh6xrUySr, Hits: 6.52, size: 51023, queued_as: 704589A59EA, 5005 ms
Nov 10 14:52:27 rojao postfix/smtp[32468]: 4C2B69A59E7: to=<CC@rojao.cn>, relay=localhost[127.0.0.1]:10024, delay=5.2, delays=0.18/0.01/0/5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=30492-17, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 704589A59EA)
Nov 10 14:52:27 rojao postfix/smtp[32468]: 4C2B69A59E7: to=<BB@rojao.cn>, relay=localhost[127.0.0.1]:10024, delay=5.2, delays=0.18/0.01/0/5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=30492-17, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 704589A59EA)
Nov 10 14:52:27 rojao postfix/qmgr[2891]: 4C2B69A59E7: removed
Nov 10 14:52:27 rojao postfix/pipe[32475]: 704589A59EA: to=<BB@rojao.cn>, relay=dovecot, delay=0.04, delays=0.01/0.02/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 10 14:52:27 rojao postfix/pipe[32474]: 704589A59EA: to=<CC@rojao.cn>, relay=dovecot, delay=0.04, delays=0.01/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 10 14:52:27 rojao postfix/qmgr[2891]: 704589A59EA: removed


下面是在邮件客户端看到的邮件原始信息:
X-Uidl: 000003e74c3f1a7a&&mail.rojao.cn
Return-Path: <AA@coship.com>
Delivered-To: BB@rojao.cn
Received: from localhost (rojao.cn [127.0.0.1])
    by rojao.cn (iRedMail) with ESMTP id 704589A59EA;
    Wed, 10 Nov 2010 14:52:27 +0800 (CST)
X-Virus-Scanned: amavisd-new at rojao.cn
X-Spam-Flag: YES
X-Spam-Score: 6.52
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.52 tagged_above=2 required=6.2 tests=[AM:BOOST=-3,
    AWL=0.202, DNS_FROM_OPENWHOIS=2.431, FH_DATE_PAST_20XX=3.384,
    HTML_FONT_FACE_BAD=0.606, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=2.796,
    RDNS_NONE=0.1] autolearn=no
Received: from rojao.cn ([127.0.0.1])
    by localhost (rojao.cn [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id GOMrh6xrUySr; Wed, 10 Nov 2010 14:52:22 +0800 (CST)
X-Original-Helo: omail.coship.com (iRedMail: http://www.iredmail.org/)
X-Original-Helo: omail.coship.com (iRedMail: http://www.iredmail.org/)
Received: from omail.coship.com (unknown [210.75.11.146])
    by rojao.cn (iRedMail) with ESMTP id 4C2B69A59E7;
    Wed, 10 Nov 2010 14:52:22 +0800 (CST)
Received: from [192.168.99.233] by omail.coship.com with surfront esmtp id 430712132957970;
    Wed, 10 Nov 2010 14:56:27 +0800 (CST)
Received: from C901235A ([10.10.100.16])
          by omail.coship.com (Lotus Domino Release 7.0.2)
          with ESMTP id 2010111014531204-415780 ;
          Wed, 10 Nov 2010 14:53:12 +0800
Message-ID: <747385B835A34AB8B2A90D3C8FC7B87A@rd.coship.pri>
From:

谢谢ZhangHuangbin,还真的是这个问题,BB用户自己设置了个转发规则,结果是转发给自己。晕。

下面那个提示确实是发送到时候没有选择SMTP需要身份验证。

搞定!!!

AA@mydomain.cn 发送给BB@mydomain.cn的邮件会被退回,而发给其他用户的都正常,下面是日志,看看是哪里的问题:

Nov  3 14:45:43 rojao postfix/smtpd[8062]: connect from unknown[58.62.82.235]
Nov  3 14:45:43 rojao postfix/smtpd[8062]: 905239A59DC: client=unknown[58.62.82.235], sasl_method=LOGIN, sasl_username=AA@mydomain.cn
Nov  3 14:45:43 rojao postfix/cleanup[8065]: 905239A59DC: message-id=<201011031445479539481@mydomain.cn>
Nov  3 14:45:43 rojao postfix/qmgr[2891]: 905239A59DC: from=<AA@mydomain.cn>, size=5023, nrcpt=1 (queue active)
Nov  3 14:45:43 rojao postfix/smtpd[8062]: disconnect from unknown[58.62.82.235]
Nov  3 14:45:46 rojao postfix/smtpd[8070]: connect from mydomain.cn[127.0.0.1]
Nov  3 14:45:46 rojao postfix/trivial-rewrite[8064]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov  3 14:45:46 rojao postfix/trivial-rewrite[8064]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov  3 14:45:46 rojao postfix/smtpd[8070]: 367C89A59E2: client=mydomain.cn[127.0.0.1]
Nov  3 14:45:46 rojao postfix/cleanup[8065]: 367C89A59E2: message-id=<201011031445479539481@mydomain.cn>
Nov  3 14:45:46 rojao postfix/qmgr[2891]: 367C89A59E2: from=<AA@mydomain.cn>, size=5860, nrcpt=1 (queue active)
Nov  3 14:45:46 rojao postfix/trivial-rewrite[8064]: warning: do not list domain mydomain.cn in BOTH mydestination and virtual_mailbox_domains
Nov  3 14:45:46 rojao postfix/smtpd[8070]: disconnect from mydomain.cn[127.0.0.1]
Nov  3 14:45:46 rojao amavis[4944]: (04944-18) Passed CLEAN, LOCAL [58.62.82.235] [58.62.82.235] <AA@mydomain.cn> -> <BB@mydomain.cn>, Message-ID: <201011031445479539481@mydomain.cn>, mail_id: SLyia95mVqKM, Hits: -1.388, size: 5023, queued_as: 367C89A59E2, 2522 ms
Nov  3 14:45:46 rojao postfix/smtp[8067]: 905239A59DC: to=<BB@mydomain.cn>, relay=localhost[127.0.0.1]:10024, delay=2.7, delays=0.14/0.01/0/2.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04944-18, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 367C89A59E2)
Nov  3 14:45:46 rojao postfix/qmgr[2891]: 905239A59DC: removed
Nov  3 14:45:46 rojao postfix/pickup[7532]: 3E9119A59E4: uid=500 from=<AA@mydomain.cn>
Nov  3 14:45:46 rojao postfix/cleanup[8065]: 3E9119A59E4: message-id=<201011031445479539481@mydomain.cn>
Nov  3 14:45:46 rojao postfix/pipe[8071]: 367C89A59E2: to=<BB@mydomain.cn>, relay=dovecot, delay=0.04, delays=0/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov  3 14:45:46 rojao postfix/qmgr[2891]: 367C89A59E2: removed
Nov  3 14:45:46 rojao postfix/qmgr[2891]: 3E9119A59E4: from=<AA@mydomain.cn>, size=5994, nrcpt=1 (queue active)
Nov  3 14:45:46 rojao postfix/pipe[8071]: 3E9119A59E4: to=<BB@mydomain.cn>, relay=dovecot, delay=0.02, delays=0.01/0/0/0.01, dsn=5.4.6, status=bounced (mail forwarding loop for BB@mydomain.cn)
Nov  3 14:45:46 rojao postfix/cleanup[8065]: 423E69A59E2: message-id=<20101103064546.423E69A59E2@mydomain.cn>
Nov  3 14:45:46 rojao postfix/qmgr[2891]: 423E69A59E2: from=<>, size=7610, nrcpt=1 (queue active)
Nov  3 14:45:46 rojao postfix/bounce[8075]: 3E9119A59E4: sender non-delivery notification: 423E69A59E2
Nov  3 14:45:46 rojao postfix/trivial-rewrite[8064]: warning: do not list domain mydomain.cn in BOTH mydestination and virtual_mailbox_domains
Nov  3 14:45:46 rojao postfix/qmgr[2891]: 3E9119A59E4: removed
Nov  3 14:45:46 rojao postfix/pipe[8071]: 423E69A59E2: to=<AA@mydomain.cn>, relay=dovecot, delay=0.01, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov  3 14:45:46 rojao postfix/qmgr[2891]: 423E69A59E2: removed
Nov  3 14:46:18 rojao roundcube: [03-Nov-2010 14:46:18 +0800]: Successful login for BB@mydomain.cn (id 24) from 58.62.82.235
Nov  3 14:47:08 rojao postfix/smtpd[8062]: connect from unknown[58.62.82.235]
Nov  3 14:47:08 rojao postfix/trivial-rewrite[8123]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Nov  3 14:47:08 rojao postfix/smtpd[8062]: NOQUEUE: reject: RCPT from unknown[58.62.82.235]: 553 5.7.1 <AA@mydomain.cn>: Sender address rejected: not logged in; from=<AA@mydomain.cn> to=<BB@mydomain.cn> proto=SMTP helo=<T61>
Nov  3 14:47:08 rojao postfix/smtpd[8062]: lost connection after RCPT from unknown[58.62.82.235]
Nov  3 14:47:08 rojao postfix/smtpd[8062]: disconnect from unknown[58.62.82.235]


我发现问题出在:
Nov  3 14:47:08 rojao postfix/smtpd[8062]: NOQUEUE: reject: RCPT from unknown[58.62.82.235]: 553 5.7.1 <AA@mydomain.cn>: Sender address rejected: not logged in; from=<AA@mydomain.cn> to=<BB@mydomain.cn> proto=SMTP helo=<T61>
这行上。Sender address rejected:,怎么会发送者地址被拒绝呢??同一个发送者发送给其他人的就正常,唯独发给BB的被退回,可能是哪里出的问题呢??

carlkyo 写道:

brucemioo
你的iredmail可以用outlook那些收发吗
不知道为什么
我的用不了~”~
    Unrecognized warning:
         TLS library problem: 27222:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1086:SSL alert number 48: : 1 Time(s)

    **Unmatched Entries**

    lost connection after DATA (0 bytes) from unknown[17.7.160.196]
    lost connection after DATA (0 bytes) from unknown[185.24.25.26]
    NOQUEUE: reject: RCPT from unknown[110.25.170.75]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
    NOQUEUE: reject: RCPT from unknown[112.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
    NOQUEUE: reject: RCPT from unknown[112.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com> to=<cap@simpo.com> proto=SMTP helo=<hpc>
    lost connection after DATA (0 bytes) from unknown[21.5.109.3]
    lost connection after DATA (0 bytes) from unknown[21.138.92.24]
    lost connection after DATA (0 bytes) from unknown[41.200.166.80]
    lost connection after DATA (0 bytes) from unknown[110.139.72.210]
    lost connection after DATA (0 bytes) from unknown[180.180.210.23]
    lost connection after DATA (0 bytes) from unknown[189.136.46.201]
    lost connection after DATA (0 bytes) from unknown[189.218.202.37]
    lost connection after DATA (0 bytes) from unknown[189.218.202.37]
    lost connection after DATA (0 bytes) from unknown[10.162.126.230]
    NOQUEUE: reject: RCPT from unknown[11.90.9.120]: 553 5.7.1 <cap@simpo.com>: Sender address rejected: not logged in; from=<cap@simpo.com>



这位老兄,目前我这里没有人用outlook来收发邮件,所以暂时不能回答你的问题,等我找个outlook试试看。

首先这个懒不懒没关系,由于不是特别熟悉iRedmail,所以出现这种问题,当然想到的是来这里寻找帮助。

其次,搜索了“Sender address rejected: not logged in”,基本和我说的情况没关系,我现在的邮件系统收发邮件都是正常的,只是一部分用户经常收到自己从来没有发送过的发送失败的提示邮件,而且发部分发送失败的邮件的主题是否“发送hao的金蛋”

backscatter还没仔细看,无论如何还是谢谢ZhangHuangbin的指点帮助。

昨天修改了邮件客户端以及邮件帐号的密码,今天发现还是有“送给hao的金蛋”那个垃圾邮件外发的记录,晕死了。

看来真的是系统安全性的问题,有人入侵了。

我的安全日志中可以看到,每天确实有几千次的尝试密码登录,但还没看到有登录成功的日志。

现在怀疑是iRedmail安装的一些模块在配置上可能有什么漏洞,因为我的配置基本都是参考网上的那些资料,不知到有什么安全补丁或配置是我没有看到或注意到的,有知道的或这方面经验的大侠给爹些指点,不胜感激!!

我的iredmail安装的是0.6.0版的,webmail安装了roundcube,启用了postfixadmin来管理用户,其他都没开,用的是mysql数据库。这样的配置中,可能是什么地方存在安全漏洞呢??

现在看来邮件客户端中毒的可能性比较大!

另一个我非常疑惑的地方就是hyujrf@rojao.cn帐号在我的邮件服务器中是不存在的,但maillog中很多这个帐号发送到垃圾邮件。比较可能的情况应该是客户端中毒后外发的垃圾邮件的发件人地址写了这个帐号而已,所以实际上系统中并没有这个帐号,但maillog中却很多这个帐号的日志。

看来先从邮件客户端查查问题了。

tao 写道:
brucemioo 写道:

最近域内的很多用户反映他们的邮件帐户经常收到邮件服务器发“发送失败”的邮件,邮件的主题基本都是“发送给hao的金蛋”,但实际用户根本没有发送过那些邮件,发送日志和历史记录中也没有发送到任何记录。

下面是其中一封失败邮件的内容:
This is the mail system at host rojao.cn.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<ouchaoyi@21cn.com>: host mta.21cn.com[59.36.102.50] said: 550
    (ID:10.27.2.3-1287555615-51245-AB/11-16399-F1A8EBC4) No such user on
    Inbound SMTP server 233! (in reply to RCPT TO command)

很多类似的邮件,只是收件人不同。

各位大侠,这是怎么回事呢?系统被黑了吗?

我的邮件服务器也出现这个情况了,大概有一周了,我也没有太去注意它,那现在得注意一下看看!楼主使用的是那个版本的iredmail呢?


0.6.0

现在综合各方面的情况来看,初步确定是有人把我的邮件服务器“劫持”为“垃圾邮件生成器”了,也就是通过我的邮件服务器的正常用户帐号向外发送垃圾邮件,所以本身正常的邮件用户就会收到那些发送失败的垃圾邮件返回消息。

现在比较麻烦的问题是:怎样来查找、追踪并解决这个问题?

系统安装的是RedHat Linux 5,对linux方面的安全知识比较缺乏,所以请这方面的高手帮帮忙。

下面是数据库中的白名单信息,这些数据是安装时初始化的吧?是否有不是初始化的记录呢??


mysql> select * from whitelist ;
+-----------------+--------------------------------------------------------------+------------+
| _whitelist      | _description                                                 | _expire    |
+-----------------+--------------------------------------------------------------+------------+
| 127.%.%.%       | # localhost                                                  |          0 |
| 192.168.%.%     | # private netblock                                           |          0 |
| 10.%.%.%        | # private netblock                                           |          0 |
| 12.5.136.141    | # Southwest Airlines (unique sender, no retry)               |          0 |
| 12.5.136.142    | # Southwest Airlines (unique sender, no retry)               |          0 |
| 12.107.209.244  | # kernel.org mailing lists (high traffic, unique sender per  |          0 |
| 12.107.209.250  | # sourceware.org mailing lists (high traffic, unique sender  |          0 |
| 63.82.37.110    | # SLmail                                                     |          0 |
| 64.7.153.18     | # sentex.ca (common pool)                                    |          0 |
| 64.12.137.%     | # AOL (common pool) - http://postmaster.aol.com/servers/imo. |          0 |
| 64.12.138.%     | # AOL (common pool)                                          |          0 |
| 64.124.204.39   | # moveon.org (unique sender per attempt)                     |          0 |
| 64.125.132.254  | # collab.net (unique sender per attempt)                     |          0 |
| 64.233.170.%    | # gmail (common server pool)                                 |          0 |
| 65.82.241.160   | # Groupwise?                                                 |          0 |
| 66.100.210.82   | # Groupwise?                                                 |          0 |
| 66.135.209.%    | # Ebay (for time critical alerts)                            |          0 |
| 66.135.197.%    | # Ebay (common pool)                                         |          0 |
| 66.162.216.166  | # Groupwise?                                                 |          0 |
| 66.206.22.82    | # PLEXOR                                                     |          0 |
| 66.206.22.83    | # PLEXOR                                                     |          0 |
| 66.206.22.84    | # PLEXOR                                                     |          0 |
| 66.206.22.85    | # PLEXOR                                                     |          0 |
| 66.218.66.%     | # Yahoo Groups servers (common pool, no retry)               |          0 |
| 66.218.67.%     | # Yahoo Groups servers (common pool, no retry)               |          0 |
| 66.218.69.%     | # Yahoo Groups servers (common pool, no retry)               |          0 |
| 66.27.51.218    | # ljbtc.com (Groupwise)                                      |          0 |
| 66.89.73.101    | # Groupwise?                                                 |          0 |
| 68.15.115.88    | # Groupwise?                                                 |          0 |
| 194.245.101.88  | # Joker.com (email forwarding server)                        |          0 |
| 195.235.39.19   | # Tid InfoMail Exchanger v2.20                               |          0 |
| 195.238.2.105   | # skynet.be (wierd retry pattern)                            |          0 |
| 195.238.2.124   | # skynet.be (common pool)                                    |          0 |
| 195.238.3.12    | # skynet.be (common pool)                                    |          0 |
| 195.238.3.13    | # skynet.be (common pool)                                    |          0 |
| 204.60.8.162    | # Groupwise?                                                 |          0 |
| 204.107.120.10  | # Ameritrade (no retry)                                      |          0 |
| 205.188.139.136 | # AOL (common pool)                                          |          0 |
| 205.188.139.137 | # AOL (common pool)                                          |          0 |
| 205.188.144.207 | # AOL (common pool)                                          |          0 |
| 205.188.144.208 | # AOL (common pool)                                          |          0 |
| 205.188.156.66  | # AOL (common pool)                                          |          0 |
| 205.188.157.%   | # AOL (common pool)                                          |          0 |
| 205.188.159.7   | # AOL (common pool)                                          |          0 |
| 205.206.231.%   | # SecurityFocus.com (unique sender per attempt)              |          0 |
| 205.211.164.50  | # sentex.ca (common pool)                                    |          0 |
| 207.115.63.%    | # Prodigy (broken software that retries continually with no  |          0 |
| 207.171.168.%   | # Amazon.com (common pool)                                   |          0 |
| 207.171.180.%   | # Amazon.com (common pool)                                   |          0 |
| 207.171.187.%   | # Amazon.com (common pool)                                   |          0 |
| 207.171.188.%   | # Amazon.com (common pool)                                   |          0 |
| 207.171.190.%   | # Amazon.com (common pool)                                   |          0 |
| 213.136.52.31   | # Mysql.com (unique sender)                                  |          0 |
| 216.136.226.0   | # Yahoo Mail?                                                |          0 |
| 216.157.204.5   | # Groupwise?                                                 |          0 |
| 217.158.50.178  | # AXKit mailing list (unique sender per attempt)             |          0 |
| 209.237.227.%   | # SpamAssassin mailing list                                  |          0 |
| 66.35.250.%     | # lists.sourceforge.net                                      |          0 |
| 196.25.240.%    | # saix.net                                                   |          0 |
| 196.4.160.%     | # internet solutions (business smtp)                         |          0 |
| 196.35.77.%     | # internet solutions (dialup smtp)                           |          0 |
| 196.25.69.%     | # telkom                                                     |          0 |
| 196.2.50.%      | # mweb (dialup smtp)                                         |          0 |
| 196.2.49.%      | # mweb (business smtp)                                       |          0 |
| 196.2.24.%      | # mweb (business smtp)                                       |          0 |
| 220.181.13.174  | # autowhitelisted host                                       | 1280893202 |
| 116.254.203.60  | # autowhitelisted host                                       | 1281490617 |
| 220.181.12.11   | # autowhitelisted host                                       | 1281605003 |
| 119.147.10.244  | # autowhitelisted host                                       | 1281684453 |
| 211.150.67.10   | # autowhitelisted host                                       | 1281938021 |
| 220.181.13.40   | # autowhitelisted host                                       | 1281950081 |
| 211.150.100.26  | # autowhitelisted host                                       | 1282576219 |
| 220.181.15.5    | # autowhitelisted host                                       | 1282808364 |
| 220.181.13.113  | # autowhitelisted host                                       | 1283144306 |
| 220.181.12.12   | # autowhitelisted host                                       | 1283424245 |
| 123.125.50.111  | # autowhitelisted host                                       | 1283486536 |
| 119.147.10.226  | # autowhitelisted host                                       | 1283495975 |
| 210.51.25.227   | # autowhitelisted host                                       | 1283744805 |
| 220.181.15.134  | # autowhitelisted host                                       | 1283828790 |
| 211.150.67.12   | # autowhitelisted host                                       | 1283830432 |
| 220.181.13.193  | # autowhitelisted host                                       | 1283837813 |
| 220.181.15.138  | # autowhitelisted host                                       | 1284458437 |
| 119.147.10.233  | # autowhitelisted host                                       | 1284540118 |
| 220.181.13.172  | # autowhitelisted host                                       | 1284609339 |
| 116.228.35.190  | # autowhitelisted host                                       | 1285147946 |
| 220.181.15.89   | # autowhitelisted host                                       | 1285313938 |
| 123.125.50.110  | # autowhitelisted host                                       | 1285641728 |
| 211.150.67.16   | # autowhitelisted host                                       | 1286000309 |
| 116.213.96.125  | # autowhitelisted host                                       | 1286008392 |
| 220.181.13.176  | # autowhitelisted host                                       | 1286076968 |
| 220.181.15.74   | # autowhitelisted host                                       | 1286239501 |
| 220.181.12.14   | # autowhitelisted host                                       | 1286333837 |
| 220.181.13.189  | # autowhitelisted host                                       | 1287118637 |
| 119.147.10.250  | # autowhitelisted host                                       | 1287310347 |
| 123.125.50.135  | # autowhitelisted host                                       | 1287643547 |
| 220.181.13.31   | # autowhitelisted host                                       | 1287664553 |
| 202.108.3.163   | # autowhitelisted host                                       | 1287714334 |
| 58.60.63.22     | # autowhitelisted host                                       | 1288076509 |
+-----------------+--------------------------------------------------------------+------------+


mysql> select * from whitelist_dnsname;                                                                                           
+-------------+----------------------------------------------------+---------+
| _whitelist  | _description                                       | _expire |
+-------------+----------------------------------------------------+---------+
| bigfish.com | # bigfish.com has smtp servers behind multiple ips |       0 |
+-------------+----------------------------------------------------+---------+
1 row in set (0.00 sec)

问题在于我的邮件系统中的用户并没有发送过这些邮件,这点我可以确定!
从发送邮件的时间和IP地址上可以看出,那些邮件并不是邮件的主人发送的。

其中hyujrf@rojao.cn帐号在我的邮件服务器中是不存在的,难道有人创建这个帐号并发送垃圾邮件后,又删除了该帐号?如果是这样,那系统应该有日志记录呀,可现在没找到类似的日志信息。

系统的安全日志中可以看到无数的尝试登录邮件系统的日志,但都是失败的。

我刚查看了数据库,也没发现任何异常的记录。

还有可能是什么原因呢??

我还真没看出日志中有什么异常,下面是我觉得可不太正常的地方,其中“hyujrf@rojao.cn”帐号在我的邮件服务器中是不存在的,部分垃圾邮件的相关地址:
ouchaoyi@21cn.com
tzjohnson@ketaili.com
anlonchen@linpotech.com
jwdx@zhandou8.com
tzjohnson@ketaili.com
mail.mcit.com.hk
ghetht@telegoal.com.cn
danielkellynr@aol.com
jingchi@vkuw.com
.....
很多。

Oct 20 14:19:38 rojao postfix/smtpd[7054]: connect from unknown[218.27.126.73]
Oct 20 14:19:38 rojao postfix/trivial-rewrite[7057]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:19:44 rojao postfix/smtpd[7054]: NOQUEUE: reject: RCPT from unknown[218.27.126.73]: 550 5.1.1 <hyujrf@rojao.cn>: Recipient address rejected: User unknown in local recipient table; from=<postmaster@mail.jl.cn> to=<hyujrf@rojao.cn> proto=SMTP helo=<aimc.com>
Oct 20 14:19:44 rojao postfix/smtpd[7054]: lost connection after RCPT from unknown[218.27.126.73]
Oct 20 14:19:44 rojao postfix/smtpd[7054]: disconnect from unknown[218.27.126.73]
Oct 20 14:20:05 rojao postfix/smtpd[7054]: connect from unknown[218.249.27.69]
Oct 20 14:20:06 rojao postfix/trivial-rewrite[7058]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:20:11 rojao postfix/smtpd[7054]: 33D779A59E4: client=unknown[218.249.27.69], sasl_method=login, sasl_username=mj@rojao.cn
Oct 20 14:20:11 rojao postfix/cleanup[7060]: 33D779A59E4: message-id=<20101020062011.33D779A59E4@rojao.cn>
Oct 20 14:20:11 rojao postfix/qmgr[2892]: 33D779A59E4: from=<mj@rojao.cn>, size=865, nrcpt=1 (queue active)
Oct 20 14:20:11 rojao postfix/smtpd[7067]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:20:11 rojao postfix/trivial-rewrite[7058]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:20:11 rojao postfix/smtpd[7067]: F08BC9A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:20:11 rojao postfix/cleanup[7060]: F08BC9A59E5: message-id=<20101020062011.33D779A59E4@rojao.cn>
Oct 20 14:20:11 rojao postfix/qmgr[2892]: F08BC9A59E5: from=<mj@rojao.cn>, size=1275, nrcpt=1 (queue active)
Oct 20 14:20:11 rojao postfix/smtpd[7067]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:20:11 rojao amavis[6904]: (06904-02) Passed CLEAN, LOCAL [218.249.27.69] [218.249.27.69] <mj@rojao.cn> -> <ouchaoyi@21cn.com>, Message-ID: <20101020062011.33D779A59E4@rojao.cn>, mail_id: ewImxlGWxTMx, Hits: 5.966, size: 864, queued_as: F08BC9A59E5, 670 ms
Oct 20 14:20:12 rojao postfix/smtp[7064]: 33D779A59E4: to=<ouchaoyi@21cn.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.9, delays=5.2/0.01/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06904-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as F08BC9A59E5)
Oct 20 14:20:12 rojao postfix/qmgr[2892]: 33D779A59E4: removed
Oct 20 14:20:19 rojao postfix/smtp[7068]: F08BC9A59E5: to=<ouchaoyi@21cn.com>, relay=mta.21cn.com[59.36.102.50]:25, delay=7.8, delays=0/0.01/3.6/4.2, dsn=5.0.0, status=bounced (host mta.21cn.com[59.36.102.50] said: 550 (ID:10.27.2.3-1287555615-51245-AB/11-16399-F1A8EBC4) No such user on Inbound SMTP server 233! (in reply to RCPT TO command))
Oct 20 14:20:19 rojao postfix/cleanup[7060]: CC41E9A59E6: message-id=<20101020062019.CC41E9A59E6@rojao.cn>
Oct 20 14:20:19 rojao postfix/bounce[7071]: F08BC9A59E5: sender non-delivery notification: CC41E9A59E6
Oct 20 14:20:19 rojao postfix/qmgr[2892]: CC41E9A59E6: from=<>, size=3245, nrcpt=1 (queue active)
Oct 20 14:20:19 rojao postfix/trivial-rewrite[7058]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:20:19 rojao postfix/qmgr[2892]: F08BC9A59E5: removed
Oct 20 14:20:19 rojao postfix/pipe[7072]: CC41E9A59E6: to=<mj@rojao.cn>, relay=dovecot, delay=0.02, delays=0/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 20 14:20:19 rojao postfix/qmgr[2892]: CC41E9A59E6: removed
Oct 20 14:21:01 rojao postfix/smtpd[7054]: disconnect from unknown[218.249.27.69]
Oct 20 14:22:17 rojao postfix/smtpd[7054]: connect from unknown[203.198.177.23]
Oct 20 14:22:17 rojao postfix/trivial-rewrite[7084]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:22:23 rojao policyd: connection from: 127.0.0.1 port: 35808 slots: 0 of 2044 used
Oct 20 06:22:23 rojao policyd: rcpt=4221, greylist=new, host=203.198.177.23 (unknown), from=tzjohnson@ketaili.com, to=mcj@rojao.cn, size=1118
Oct 20 14:22:23 rojao postfix/smtpd[7054]: NOQUEUE: reject: RCPT from unknown[203.198.177.23]: 450 4.7.1 <mcj@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<tzjohnson@ketaili.com> to=<mcj@rojao.cn> proto=ESMTP helo=<mail.mcit.com.hk>
Oct 20 14:22:23 rojao postfix/smtpd[7054]: disconnect from unknown[203.198.177.23]
Oct 20 14:22:44 rojao postfix/smtpd[7054]: connect from unknown[124.42.91.132]
Oct 20 14:22:44 rojao postfix/trivial-rewrite[7123]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:22:50 rojao postfix/smtpd[7054]: 3D9549A59E4: client=unknown[124.42.91.132], sasl_method=login, sasl_username=yan@rojao.cn
Oct 20 14:22:50 rojao postfix/cleanup[7125]: 3D9549A59E4: message-id=<20101020062250.3D9549A59E4@rojao.cn>
Oct 20 14:22:50 rojao postfix/qmgr[2892]: 3D9549A59E4: from=<yan@rojao.cn>, size=896, nrcpt=1 (queue active)
Oct 20 14:22:50 rojao postfix/smtpd[7132]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:22:50 rojao postfix/trivial-rewrite[7123]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:22:50 rojao postfix/smtpd[7132]: EACBC9A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:22:50 rojao postfix/cleanup[7125]: EACBC9A59E5: message-id=<20101020062250.3D9549A59E4@rojao.cn>
Oct 20 14:22:50 rojao postfix/qmgr[2892]: EACBC9A59E5: from=<yan@rojao.cn>, size=1318, nrcpt=1 (queue active)
Oct 20 14:22:50 rojao amavis[6949]: (06949-02) Passed CLEAN, LOCAL [124.42.91.132] [124.42.91.132] <yan@rojao.cn> -> <anlonchen@linpotech.com>, Message-ID: <20101020062250.3D9549A59E4@rojao.cn>, mail_id: oWYiqJ0WyxxS, Hits: 5.798, size: 895, queued_as: EACBC9A59E5, 527 ms
Oct 20 14:22:50 rojao postfix/smtpd[7132]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:22:50 rojao postfix/smtp[7129]: 3D9549A59E4: to=<anlonchen@linpotech.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.1, delays=5.5/0.01/0/0.53, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06949-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EACBC9A59E5)
Oct 20 14:22:50 rojao postfix/qmgr[2892]: 3D9549A59E4: removed
Oct 20 14:22:52 rojao postfix/smtp[7133]: EACBC9A59E5: to=<anlonchen@linpotech.com>, relay=mxwcom.263xmail.com[211.150.64.36]:25, delay=1.1, delays=0.01/0.01/0.12/0.97, dsn=2.0.0, status=sent (250 Ok: queued as 41585458)
Oct 20 14:22:52 rojao postfix/qmgr[2892]: EACBC9A59E5: removed
Oct 20 14:24:19 rojao postfix/anvil[6990]: statistics: max connection rate 1/60s for (smtp:211.150.67.12) at Oct 20 14:14:19
Oct 20 14:24:19 rojao postfix/anvil[6990]: statistics: max connection count 1 for (smtp:211.150.67.12) at Oct 20 14:14:19
Oct 20 14:24:19 rojao postfix/anvil[6990]: statistics: max cache size 2 at Oct 20 14:14:30
Oct 20 14:24:39 rojao postfix/smtpd[7151]: connect from unknown[210.72.13.75]
Oct 20 14:24:39 rojao postfix/trivial-rewrite[7123]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:24:39 rojao postfix/smtpd[7151]: NOQUEUE: reject: RCPT from unknown[210.72.13.75]: 550 5.1.1 <hyujrf@rojao.cn>: Recipient address rejected: User unknown in local recipient table; from=<> to=<hyujrf@rojao.cn> proto=ESMTP helo=<mail.sfn.cn>
Oct 20 14:24:39 rojao postfix/smtpd[7151]: disconnect from unknown[210.72.13.75]
Oct 20 14:27:50 rojao postfix/smtpd[7054]: timeout after END-OF-MESSAGE from unknown[124.42.91.132]
Oct 20 14:27:50 rojao postfix/smtpd[7054]: disconnect from unknown[124.42.91.132]
Oct 20 14:29:05 rojao postfix/smtpd[7054]: connect from unknown[60.22.220.40]
Oct 20 14:29:06 rojao postfix/trivial-rewrite[7188]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:29:21 rojao policyd: connection from: 127.0.0.1 port: 33795 slots: 0 of 2044 used
Oct 20 06:29:21 rojao policyd: rcpt=4222, greylist=new, host=60.22.220.40 (unknown), from=jwdx@zhandou8.com, to=hr@rojao.cn, size=0
Oct 20 14:29:21 rojao postfix/smtpd[7054]: NOQUEUE: reject: RCPT from unknown[60.22.220.40]: 450 4.7.1 <hr@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<jwdx@zhandou8.com> to=<hr@rojao.cn> proto=SMTP helo=<zhandou8.com>
Oct 20 14:29:21 rojao postfix/smtpd[7054]: lost connection after RCPT from unknown[60.22.220.40]
Oct 20 14:29:21 rojao postfix/smtpd[7054]: disconnect from unknown[60.22.220.40]
Oct 20 14:30:02 rojao postfix/smtpd[7054]: connect from unknown[203.198.177.23]
Oct 20 06:30:07 rojao policyd: rcpt=4223, greylist=update, host=203.198.177.23 (unknown), from=tzjohnson@ketaili.com, to=mcj@rojao.cn, size=1118
Oct 20 06:30:07 rojao policyd: rcpt=4223, throttle_rcpt=clear(a), host=203.198.177.23, from=tzjohnson@ketaili.com, to=mcj@rojao.cn, count=0/64(67), threshold=0%
Oct 20 14:30:07 rojao postfix/smtpd[7054]: DD9C39A59E4: client=unknown[203.198.177.23]
Oct 20 14:30:09 rojao postfix/cleanup[7200]: DD9C39A59E4: message-id=<201010200622.o9K6MA2U028673@mail.mcit.com.hk>
Oct 20 14:30:09 rojao postfix/qmgr[2892]: DD9C39A59E4: from=<tzjohnson@ketaili.com>, size=1380, nrcpt=1 (queue active)
Oct 20 14:30:13 rojao postfix/smtpd[7207]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:30:13 rojao postfix/trivial-rewrite[7208]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:30:13 rojao postfix/smtpd[7207]: 961229A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:30:13 rojao postfix/cleanup[7200]: 961229A59E5: message-id=<201010200622.o9K6MA2U028673@mail.mcit.com.hk>
Oct 20 14:30:13 rojao postfix/qmgr[2892]: 961229A59E5: from=<tzjohnson@ketaili.com>, size=1780, nrcpt=1 (queue active)
Oct 20 14:30:13 rojao postfix/smtpd[7207]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:30:13 rojao postfix/trivial-rewrite[7208]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:30:13 rojao amavis[6904]: (06904-03) Passed SPAM, LOCAL [203.198.177.23] [218.249.27.69] <tzjohnson@ketaili.com> -> <mcj@rojao.cn>, quarantine: spam-in0aIiB3KBpu.gz, Message-ID: <201010200622.o9K6MA2U028673@mail.mcit.com.hk>, mail_id: in0aIiB3KBpu, Hits: 17.393, size: 1380, queued_as: 961229A59E5, 4305 ms
Oct 20 14:30:13 rojao postfix/smtp[7203]: DD9C39A59E4: to=<mcj@rojao.cn>, relay=127.0.0.1[127.0.0.1]:10024, delay=11, delays=6.5/0.01/0/4.3, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06904-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 961229A59E5)
Oct 20 14:30:13 rojao postfix/qmgr[2892]: DD9C39A59E4: removed
Oct 20 14:30:13 rojao postfix/pipe[7211]: 961229A59E5: to=<mcj@rojao.cn>, relay=dovecot, delay=0.03, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 20 14:30:13 rojao postfix/qmgr[2892]: 961229A59E5: removed
Oct 20 14:32:02 rojao postfix/smtpd[7232]: connect from unknown[120.87.36.13]
Oct 20 14:32:02 rojao postfix/trivial-rewrite[7233]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:32:07 rojao policyd: connection from: 127.0.0.1 port: 57608 slots: 1 of 2044 used
Oct 20 06:32:07 rojao policyd: rcpt=4224, greylist=new, host=120.87.36.13 (unknown), from=ghetht@telegoal.com.cn, to=hr@rojao.cn, size=0
Oct 20 14:32:07 rojao postfix/smtpd[7232]: NOQUEUE: reject: RCPT from unknown[120.87.36.13]: 450 4.7.1 <hr@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<ghetht@telegoal.com.cn> to=<hr@rojao.cn> proto=ESMTP helo=<telegoal.com.cn>
Oct 20 14:32:08 rojao postfix/smtpd[7232]: disconnect from unknown[120.87.36.13]
Oct 20 14:32:44 rojao postfix/smtpd[7232]: connect from unknown[60.190.243.74]
Oct 20 14:32:44 rojao postfix/trivial-rewrite[7238]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:32:49 rojao postfix/smtpd[7232]: 6A47A9A59E4: client=unknown[60.190.243.74], sasl_method=login, sasl_username=llj@rojao.cn
Oct 20 14:32:49 rojao postfix/cleanup[7239]: 6A47A9A59E4: message-id=<20101020063249.6A47A9A59E4@rojao.cn>
Oct 20 14:32:49 rojao postfix/qmgr[2892]: 6A47A9A59E4: from=<llj@rojao.cn>, size=866, nrcpt=1 (queue active)
Oct 20 14:32:51 rojao postfix/smtpd[7246]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:32:51 rojao postfix/trivial-rewrite[7238]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:32:51 rojao postfix/smtpd[7246]: DAF839A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:32:51 rojao postfix/cleanup[7239]: DAF839A59E5: message-id=<20101020063249.6A47A9A59E4@rojao.cn>
Oct 20 14:32:51 rojao postfix/qmgr[2892]: DAF839A59E5: from=<llj@rojao.cn>, size=1274, nrcpt=1 (queue active)
Oct 20 14:32:51 rojao amavis[6949]: (06949-03) Passed CLEAN, LOCAL [60.190.243.74] [60.190.243.74] <llj@rojao.cn> -> <cyongc@yahoo.com>, Message-ID: <20101020063249.6A47A9A59E4@rojao.cn>, mail_id: iJH+NNnyK8AY, Hits: 5.882, size: 865, queued_as: DAF839A59E5, 2408 ms
Oct 20 14:32:51 rojao postfix/smtpd[7246]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:32:51 rojao postfix/smtp[7243]: 6A47A9A59E4: to=<cyongc@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.5, delays=5.1/0.01/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06949-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as DAF839A59E5)
Oct 20 14:32:51 rojao postfix/qmgr[2892]: 6A47A9A59E4: removed
Oct 20 14:32:57 rojao postfix/smtp[7247]: DAF839A59E5: to=<cyongc@yahoo.com>, relay=e.mx.mail.yahoo.com[67.195.168.230]:25, delay=5.4, delays=0.01/0.01/1.5/3.9, dsn=2.0.0, status=sent (250 ok dirdel)
Oct 20 14:32:57 rojao postfix/qmgr[2892]: DAF839A59E5: removed
Oct 20 14:34:09 rojao postfix/smtpd[7232]: disconnect from unknown[60.190.243.74]
Oct 20 14:34:10 rojao postfix/smtpd[7054]: disconnect from unknown[203.198.177.23]
Oct 20 14:34:19 rojao postfix/anvil[6990]: statistics: max connection rate 1/60s for (smtp:210.72.13.75) at Oct 20 14:24:39
Oct 20 14:34:19 rojao postfix/anvil[6990]: statistics: max connection count 1 for (smtp:210.72.13.75) at Oct 20 14:24:39
Oct 20 14:34:19 rojao postfix/anvil[6990]: statistics: max cache size 3 at Oct 20 14:32:44
Oct 20 14:34:52 rojao roundcube: [20-Oct-2010 14:34:52 +0800]: Successful login for mj@rojao.cn (id 3) from 58.62.85.167
Oct 20 14:46:56 rojao postfix/qmgr[2892]: E60889A59E1: from=<mj@rojao.cn>, size=1309, nrcpt=1 (queue active)
Oct 20 14:46:58 rojao postfix/smtp[7416]: E60889A59E1: host mailin-03.mx.aol.com[64.12.137.169] refused to talk to me: 554- (RTR:CH)  http://postmaster.info.aol.com/errors/554rtrch.html 554  Connecting IP: 124.172.234.56
Oct 20 14:46:59 rojao postfix/smtp[7416]: E60889A59E1: host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 554- (RTR:CH)  http://postmaster.info.aol.com/errors/554rtrch.html 554  Connecting IP: 124.172.234.56
Oct 20 14:47:01 rojao postfix/smtp[7416]: E60889A59E1: host mailin-04.mx.aol.com[205.188.157.18] refused to talk to me: 554- (RTR:CH)  http://postmaster.info.aol.com/errors/554rtrch.html 554  Connecting IP: 124.172.234.56
Oct 20 14:47:02 rojao postfix/smtp[7416]: E60889A59E1: host mailin-02.mx.aol.com[64.12.90.65] refused to talk to me: 554- (RTR:CH)  http://postmaster.info.aol.com/errors/554rtrch.html 554  Connecting IP: 124.172.234.56
Oct 20 14:47:04 rojao postfix/smtp[7416]: E60889A59E1: to=<danielkellynr@aol.com>, relay=mailin-01.mx.aol.com[205.188.59.194]:25, delay=25545, delays=25538/0.02/7.8/0, dsn=4.0.0, status=deferred (host mailin-01.mx.aol.com[205.188.59.194] refused to talk to me: 554- (RTR:CH)  http://postmaster.info.aol.com/errors/554rtrch.html 554  Connecting IP: 124.172.234.56)
Oct 20 14:48:00 rojao postfix/smtpd[7426]: connect from unknown[60.190.243.74]
Oct 20 14:48:00 rojao postfix/trivial-rewrite[7429]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:48:06 rojao postfix/smtpd[7426]: 50BA39A59E4: client=unknown[60.190.243.74], sasl_method=login, sasl_username=zfs@rojao.cn
Oct 20 14:48:06 rojao postfix/cleanup[7430]: 50BA39A59E4: message-id=<20101020064806.50BA39A59E4@rojao.cn>
Oct 20 14:48:06 rojao postfix/qmgr[2892]: 50BA39A59E4: from=<zfs@rojao.cn>, size=880, nrcpt=1 (queue active)
Oct 20 14:48:06 rojao postfix/smtpd[7437]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:48:06 rojao postfix/trivial-rewrite[7429]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:48:06 rojao postfix/smtpd[7437]: CAF9B9A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:48:06 rojao postfix/cleanup[7430]: CAF9B9A59E5: message-id=<20101020064806.50BA39A59E4@rojao.cn>
Oct 20 14:48:06 rojao postfix/qmgr[2892]: CAF9B9A59E5: from=<zfs@rojao.cn>, size=1300, nrcpt=1 (queue active)
Oct 20 14:48:06 rojao postfix/smtpd[7437]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:48:06 rojao amavis[6904]: (06904-04) Passed CLEAN, LOCAL [60.190.243.74] [60.190.243.74] <zfs@rojao.cn> -> <eric.chang@meiloon.com>, Message-ID: <20101020064806.50BA39A59E4@rojao.cn>, mail_id: yCMvo5MZbvo5, Hits: 4.558, size: 879, queued_as: CAF9B9A59E5, 448 ms
Oct 20 14:48:06 rojao postfix/smtp[7434]: 50BA39A59E4: to=<eric.chang@meiloon.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6, delays=5.5/0.01/0/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06904-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CAF9B9A59E5)
Oct 20 14:48:06 rojao postfix/qmgr[2892]: 50BA39A59E4: removed
Oct 20 14:48:15 rojao postfix/smtpd[7438]: connect from unknown[202.102.188.177]
Oct 20 14:48:15 rojao postfix/trivial-rewrite[7429]: warning: do not list domain ROJAO.CN in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:48:17 rojao postfix/smtpd[7439]: connect from unknown[120.192.100.60]
Oct 20 14:48:19 rojao postfix/trivial-rewrite[7429]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:48:26 rojao policyd: connection from: 127.0.0.1 port: 39956 slots: 0 of 2044 used
Oct 20 06:48:26 rojao policyd: rcpt=4225, greylist=new, host=202.102.188.177 (unknown), from=jingchi@vkuw.com, to=hr@rojao.cn, size=0
Oct 20 14:48:26 rojao postfix/smtpd[7438]: NOQUEUE: reject: RCPT from unknown[202.102.188.177]: 450 4.7.1 <HR@ROJAO.CN>: Recipient address rejected: Policy Rejection- Please try later.; from=<jingchi@vkuw.com> to=<HR@ROJAO.CN> proto=ESMTP helo=<vkuw.com>
Oct 20 14:48:26 rojao postfix/smtpd[7438]: lost connection after RCPT from unknown[202.102.188.177]
Oct 20 14:48:26 rojao postfix/smtpd[7438]: disconnect from unknown[202.102.188.177]
Oct 20 06:48:30 rojao policyd: connection from: 127.0.0.1 port: 39957 slots: 1 of 2044 used
Oct 20 06:48:30 rojao policyd: rcpt=4226, greylist=new, host=120.192.100.60 (unknown), from=jingchi@vkuw.com, to=hr@rojao.cn, size=0
Oct 20 14:48:30 rojao postfix/smtpd[7439]: NOQUEUE: reject: RCPT from unknown[120.192.100.60]: 450 4.7.1 <hr@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<jingchi@vkuw.com> to=<hr@rojao.cn> proto=SMTP helo=<vkuw.com>
Oct 20 14:48:30 rojao postfix/smtpd[7439]: lost connection after RCPT from unknown[120.192.100.60]
Oct 20 14:48:30 rojao postfix/smtpd[7439]: disconnect from unknown[120.192.100.60]
Oct 20 14:48:38 rojao postfix/smtp[7416]: CAF9B9A59E5: to=<eric.chang@meiloon.com>, relay=mailsqr.meiloon.com[210.66.151.235]:25, delay=31, delays=0.01/0/25/6.3, dsn=5.0.0, status=bounced (host mailsqr.meiloon.com[210.66.151.235] said: 500 5.0.0 Service unavailable (in reply to end of DATA command))
Oct 20 14:48:38 rojao postfix/cleanup[7430]: 193929A59E6: message-id=<20101020064838.193929A59E6@rojao.cn>
Oct 20 14:48:38 rojao postfix/bounce[7440]: CAF9B9A59E5: sender non-delivery notification: 193929A59E6
Oct 20 14:48:38 rojao postfix/qmgr[2892]: 193929A59E6: from=<>, size=3161, nrcpt=1 (queue active)
Oct 20 14:48:38 rojao postfix/trivial-rewrite[7429]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:48:38 rojao postfix/qmgr[2892]: CAF9B9A59E5: removed
Oct 20 14:48:38 rojao postfix/pipe[7441]: 193929A59E6: to=<zfs@rojao.cn>, relay=dovecot, delay=0.02, delays=0/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 20 14:48:38 rojao postfix/qmgr[2892]: 193929A59E6: removed
Oct 20 14:49:09 rojao postfix/smtpd[7426]: disconnect from unknown[60.190.243.74]
Oct 20 14:50:38 rojao postfix/smtpd[7426]: connect from unknown[209.85.161.170]
Oct 20 06:50:46 rojao policyd: connection from: 127.0.0.1 port: 58164 slots: 0 of 2044 used
Oct 20 06:50:46 rojao policyd: rcpt=4227, greylist=new, host=209.85.161.170 (unknown), from=cola913@gmail.com, to=zfs@rojao.cn, size=0
Oct 20 14:50:46 rojao postfix/smtpd[7426]: NOQUEUE: reject: RCPT from unknown[209.85.161.170]: 450 4.7.1 <zfs@rojao.cn>: Recipient address rejected: Policy Rejection- Please try later.; from=<cola913@gmail.com> to=<zfs@rojao.cn> proto=ESMTP helo=<mail-gx0-f170.google.com>
Oct 20 14:50:46 rojao postfix/smtpd[7426]: disconnect from unknown[209.85.161.170]
Oct 20 14:53:11 rojao postfix/smtpd[7471]: connect from unknown[202.96.74.114]
Oct 20 14:53:12 rojao postfix/trivial-rewrite[7473]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:53:17 rojao postfix/smtpd[7471]: NOQUEUE: reject: RCPT from unknown[202.96.74.114]: 550 5.1.1 <hyujrf@rojao.cn>: Recipient address rejected: User unknown in local recipient table; from=<postmaster@online.ln.cn> to=<hyujrf@rojao.cn> proto=SMTP helo=<online.ln.cn>
Oct 20 14:53:17 rojao postfix/smtpd[7471]: lost connection after RCPT from unknown[202.96.74.114]
Oct 20 14:53:17 rojao postfix/smtpd[7471]: disconnect from unknown[202.96.74.114]
Oct 20 14:53:34 rojao postfix/smtpd[7471]: connect from unknown[120.192.100.60]
Oct 20 14:53:36 rojao postfix/trivial-rewrite[7474]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 06:53:46 rojao policyd: connection from: 127.0.0.1 port: 58179 slots: 0 of 2044 used
Oct 20 06:53:46 rojao policyd: rcpt=4228, greylist=update, host=120.192.100.60 (unknown), from=jingchi@vkuw.com, to=hr@rojao.cn, size=0
Oct 20 06:53:46 rojao policyd: rcpt=4228, throttle_rcpt=update(a), host=120.192.100.60, from=jingchi@vkuw.com, to=hr@rojao.cn, count=2/64(454), threshold=1%
Oct 20 14:53:46 rojao postfix/smtpd[7471]: D765A9A59E4: client=unknown[120.192.100.60]
Oct 20 14:53:48 rojao postfix/cleanup[7478]: D765A9A59E4: message-id=<20101020065346.D765A9A59E4@rojao.cn>
Oct 20 14:53:48 rojao postfix/qmgr[2892]: D765A9A59E4: from=<jingchi@vkuw.com>, size=16476, nrcpt=1 (queue active)
Oct 20 14:53:49 rojao postfix/smtpd[7471]: disconnect from unknown[120.192.100.60]
Oct 20 14:53:53 rojao postfix/smtpd[7487]: connect from itvhome.cn[127.0.0.1]
Oct 20 14:53:53 rojao postfix/trivial-rewrite[7488]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:53:53 rojao postfix/smtpd[7487]: CAA0A9A59E5: client=itvhome.cn[127.0.0.1]
Oct 20 14:53:53 rojao postfix/cleanup[7478]: CAA0A9A59E5: message-id=<20101020065346.D765A9A59E4@rojao.cn>
Oct 20 14:53:53 rojao postfix/qmgr[2892]: CAA0A9A59E5: from=<jingchi@vkuw.com>, size=16874, nrcpt=1 (queue active)
Oct 20 14:53:53 rojao postfix/smtpd[7487]: disconnect from itvhome.cn[127.0.0.1]
Oct 20 14:53:53 rojao postfix/trivial-rewrite[7488]: warning: do not list domain rojao.cn in BOTH mydestination and virtual_mailbox_domains
Oct 20 14:53:53 rojao amavis[6949]: (06949-04) Passed SPAM, LOCAL [120.192.100.60] [120.192.100.60] <jingchi@vkuw.com> -> <hr@rojao.cn>, quarantine: spam-l7QRH6AbeyUz.gz, Message-ID: <20101020065346.D765A9A59E4@rojao.cn>, mail_id: l7QRH6AbeyUz, Hits: 17.704, size: 16476, queued_as: CAA0A9A59E5, 4850 ms
Oct 20 14:53:53 rojao postfix/smtp[7482]: D765A9A59E4: to=<hr@rojao.cn>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=13/0.01/0/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=06949-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as CAA0A9A59E5)
Oct 20 14:53:53 rojao postfix/qmgr[2892]: D765A9A59E4: removed
Oct 20 14:53:53 rojao postfix/pipe[7489]: CAA0A9A59E5: to=<hr@rojao.cn>, relay=dovecot, delay=0.02, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 20 14:53:53 rojao postfix/qmgr[2892]: CAA0A9A59E5: removed
Oct 20 14:54:01 rojao postfix/smtpd[7471]: connect from unknown[124.192.161.31]
Oct 20 14:54:17 rojao postfix/smtpd[7471]: NOQUEUE: reject: RCPT from unknown[124.192.161.31]: 450 4.1.8 <MAILER-DAEMON@root.domain>: Sender address rejected: Domain not found; from=<MAILER-DAEMON@root.domain> to=<hyujrf@rojao.cn> proto=ESMTP helo=<dfhinfo.com.cn>
Oct 20 14:54:17 rojao postfix/smtpd[7471]: disconnect from unknown[124.192.161.31]

刚操作错了,现在有附件了。

邮件主要都是公司内部使用,而且人也不多,所以没有人会用来发垃圾邮件,系统安全日志上看到很多不同的ip地址尝试登录系统,还没看到登录成功的记录。现在感觉我的邮件服务器被“劫持”用来发送垃圾邮件了。

附件是最近的maillog,下面是postconf -n的输出内容:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_name = iRedMail
mail_owner = postfix
mail_version = 0.6.0
mailbox_command = /usr/libexec/dovecot/deliver
mailbox_size_limit = 15728640
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 104857600
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = rojao.cn
myhostname = rojao.cn
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = rojao.cn
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.5.9/README_FILES
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql_recipient_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql_recipient_bcc_maps_user.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql_relay_domains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
sample_directory = /usr/share/doc/postfix-2.5.9/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql_transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql_transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql_domain_alias_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /opt/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500

最近域内的很多用户反映他们的邮件帐户经常收到邮件服务器发“发送失败”的邮件,邮件的主题基本都是“发送给hao的金蛋”,但实际用户根本没有发送过那些邮件,发送日志和历史记录中也没有发送到任何记录。

下面是其中一封失败邮件的内容:
This is the mail system at host rojao.cn.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<ouchaoyi@21cn.com>: host mta.21cn.com[59.36.102.50] said: 550
    (ID:10.27.2.3-1287555615-51245-AB/11-16399-F1A8EBC4) No such user on
    Inbound SMTP server 233! (in reply to RCPT TO command)

很多类似的邮件,只是收件人不同。

各位大侠,这是怎么回事呢?系统被黑了吗?