-3

Whenever I go to the mail queue log in the ISPConfig monitor section, I see approx. 300 hundred requests like the following:

482BDFEC0187 712 Thu Oct 9 09:39:01 smmsp@server.example.com
(connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
root@server.example.com

Why are they here? It's either the root or smmsp user. Does this mean that my server is being attacked by spammers?

EDIT: I've already cleared the mail queue a day ago.

EDIT2: Here is an excerpt from the mail logs:

Oct 9 16:29:33 402283 postfix/error[4513]: 1EC3B6EC0105: to=<root@server.example.com/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
Oct 9 16:29:33 402283 postfix/error[4512]: 7A9166EC0135: to=<root@server.example.com>, orig_to=<root>, relay=none, delay=118172, delays=118172/0.05/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
Oct 9 16:29:33 402283 postfix/error[4513]: 707A26EC00D7: to=<root@server.example.com>, orig_to=<root>, relay=none, delay=151772, delays=151772/0.05/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
Oct 9 16:29:33 402283 postfix/error[4512]: 75D966EC009D: to=<root@server.example.com>, orig_to=<root>, relay=none, delay=168572, delays=168572/0.05/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
Oct 9 16:30:01 402283 dovecot: imap-login: Disconnected (disconnected before greeting, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Nz72bf0EyAB/AAAB>
Oct 9 16:30:01 402283 postfix/smtpd[4559]: connect from localhost.localdomain[127.0.0.1]

An excerpt of one email header from the mail queue:

named_attribute: rewrite_context=local
sender_fullname: CronDaemon
sender: root@server.example.com
original_recipient: root
recipient: root@server.example.com
HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Onion
  • 119
  • 6
  • Also, what should I pay attention to while configuring the mail server daemon? – Onion Oct 09 '14 at 13:35
  • This isn't spam. This is your cron daemon sending the output from its jobs, like cron normally does. If you want those mails, you should set your mail server daemon up so that it actually sends them to some useable mailbox. If not, you should fix your cron jobs so that they create logs instead of mails - see http://serverfault.com/questions/449651/why-is-my-crontab-not-working-and-how-can-i-troubleshoot-it – Jenny D Oct 09 '14 at 13:37
  • 1
    What you should pay attention to: not making it an open relay... You appear to be using postfix; there's a lot of info at http://postfix.org including advice on how to set it up properly. – Jenny D Oct 09 '14 at 13:38
  • @Jenny Are you referring to this document? http://www.postfix.org/SMTPD_ACCESS_README.html – Onion Oct 09 '14 at 13:46
  • Is this tool reliable? http://mxtoolbox.com/diagnostic.aspx I've tested my server and it appears to 'green' - not an open relay. – Onion Oct 09 '14 at 13:49
  • Why the downvote? – Onion Oct 09 '14 at 13:51
  • If you hover over the down arrow, it will show you the main reason for downvotes. – Jenny D Oct 09 '14 at 19:19

1 Answers1

3

Most systems are configured to send mails of system events like the output of Cron tasks or failed sudo attempts to itself. These are sent mostly to the root user. If you are interested in these mails you should set up a catch all address for these mails.

Christopher Perrin
  • 4,741
  • 17
  • 32
  • It seems that I cannot send nor receive any mail at the moment (hence the 'Connection refused' errors). I suppose the server tries sending the emails again and again over periods of time? – Onion Oct 09 '14 at 13:41
  • Yes it does. The queue is regularly resent. But I think after x attempts it discards them. – Christopher Perrin Oct 09 '14 at 13:45