10000+ messages in the root inbox??

[bluemike]

I was restarting a Scalix service for something unrelated to this, and the terminal window told I had unread mail in my root inbox.

So I started evolution and told it to look in the root mail folder. There were over 10k messages in there, dating only back to 10-17

The vast majority or them are something like this:

Code: Select all

   Mail Delivery Subsystem <MAILER-DAEMON@emailserver.bbpi-pdc.billsblue.com>
To:    postmaster@emailserver.bbpi-pdc.billsblue.com
Subject:    Postmaster notify: see transcript for details
Date:    Wed, 25 Oct 2006 13:01:37 -0700

The original message was received at Wed, 25 Oct 2006 13:01:31 -0700
from localhost
with id k9OMHvUE029009

   ----- The following addresses had permanent fatal errors -----
<gbytovnhwb@apartment213.com>
    (reason: 550 <gbytovnhwb@apartment213.com>: Recipient address rejected: User unknown in local recipient table)

   ----- Transcript of session follows -----
... while talking to smtp.us.messagingengine.com.:
>>> DATA
<<< 550 <gbytovnhwb@apartment213.com>: Recipient address rejected: User unknown in local recipient table
550 5.1.1 <gbytovnhwb@apartment213.com>... User unknown
<<< 554 Error: no valid recipients

So these are all just relating to failed spam messages. I do not have the catch-all address enabled. Why am I getting all these messages?

[btisdall]

Can you post your /etc/aliases file.

Also, is your system condifgured to send DSNs in response to spam or viri?

[bluemike]

Here is the /etc/aliases info:

Code: Select all

#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#   >>>>>>>>>>   The program "newaliases" must be run after
#   >> NOTE >>   this file is updated for any changes to
#   >>>>>>>>>>   show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:   postmaster
postmaster:   root

# General redirections for pseudo accounts.
bin:      root
daemon:      root
adm:      root
lp:      root
sync:      root
shutdown:   root
halt:      root
mail:      root
news:      root
uucp:      root
operator:   root
games:      root
gopher:      root
ftp:      root
nobody:      root
radiusd:   root
nut:      root
dbus:      root
vcsa:      root
canna:      root
wnn:      root
rpm:      root
nscd:      root
pcap:      root
apache:      root
webalizer:   root
dovecot:   root
fax:      root
quagga:      root
radvd:      root
pvm:      root
amanda:      root
privoxy:   root
ident:      root
named:      root
xfs:      root
gdm:      root
mailnull:   root
postgres:   root
sshd:      root
smmsp:      root
postfix:   root
netdump:   root
ldap:      root
squid:      root
ntp:      root
mysql:      root
desktop:   root
rpcuser:   root
rpc:      root
nfsnobody:   root

ingres:      root
system:      root
toor:      root
manager:   root
dumper:      root
abuse:      root

newsadm:   news
newsadmin:   news
usenet:      news
ftpadm:      ftp
ftpadmin:   ftp
ftp-adm:   ftp
ftp-admin:   ftp
www:      webmaster
webmaster:   root
noc:      root
security:   root
hostmaster:   root
info:      postmaster
marketing:   postmaster
sales:      postmaster
support:   postmaster


# trap decode to catch security attacks
decode:      root

# Person who should get root's mail
#root:      marc

I don't what the 'marc' at the end means. It's not a name (I hope).
I use a Barracuda Spam Firewall to filter all incoming email. It has the "Spam Bounce NDR" set to 'off' (is that the same a DSN?),

[btisdall]

Here is the /etc/aliases info:

Code: Select all

# Person who should get root's mail
#root:      marc

I don't what the 'marc' at the end means. It's not a name (I hope).

If uncommented, that line would mean that the UNIX user 'marc' on your system got whatever mail was for root. It's customary for a line like this to exist so the administrator doesn't have to log on as root to read root's mail.

Do you have a 'postmaster@yourdomain' set up on Scalix? If not, all the spam sent to that account (and they'll be plenty) will be handed off by the Scalix smtp relay to sendmail, which will lookup postmaster in the alias database, see it's aliased to root and deliver it to root's inbox. Ditto the other generic names aliased to root!

You need to sort out your alias database by aliasing the usernames you need to accounts that get checked regularly & deleting the ones you don't (NB: some usernames are "required" by RFCs). Postmaster you might be better of creating on Scalix directly so it doesn't get as far as sendmail.

Once you've done that rebuild your aliases.db by cd'ing to /etc/ (probably) & doing:

Code: Select all

makemap hash aliases < aliases

You don't need to restart sendmail & now it will bounce mail for the non-existent users instead of forwarding it to system users.

I use a Barracuda Spam Firewall to filter all incoming email. It has the "Spam Bounce NDR" set to 'off' (is that the same a DSN?),

I don't know that product (and yes, DSN=NDR). But I do get the impression that somewhere in your system something's responding to spam/viri. I would clear out your root inbox, make the changes to the aliases file and then monitor things for a while

[bluemike]

Thanks for the info. It's very educational!!

A few more questions though:

You need to sort out your alias database by aliasing the usernames you need to accounts that get checked regularly & deleting the ones you don't (NB: some usernames are "required" by RFCs).

We are a small company with only about 15 email address. Couldn't I just delete all of these?

Postmaster you might be better of creating on Scalix directly so it doesn't get as far as sendmail.

Wouldn't that just mean that all these messages would start collecting somewhere else? Is that better somehow? Is there a way to just block these altogether?

I have run several different open relay tests, both locally and online. Everything says I'm not an OR.

[bluemike]

bump

[dkelly]

Mike,

You seem to be experiencing a number of problems on the server that you are looking for a response on. Please be aware that we do not provide any SLAs on this forum. This is staffed on a semi-voluntary basis so bumping is not an effective method of getting a response out of us.

If this is an issue for you , I strongly recommend that you purchase some support incidents.

Cheers

Dave

[bluemike]

Please be aware that we do not provide any SLAs

What's an "SLA"?

I strongly recommend that you purchase some support incidents.

I use CE. Can one purchase support for CE?

so bumping is not an effective method

It seems to have worked
(seriously, I understand. Thanks for the feedback)

[btisdall]

Damn and I was just about to offer to send you my rate card :)

I would comment these out:

Code: Select all

newsadm:   news
newsadmin:   news
usenet:      news
ftpadm:      ftp
ftpadmin:   ftp
ftp-adm:   ftp
ftp-admin:   ftp
www:      webmaster
webmaster:   root
noc:      root
security:   root
hostmaster:   root
info:      postmaster
marketing:   postmaster
sales:      postmaster
support:   postmaster

You should make sure postmaster & abuse are valid addresses - if you don't your domain might end up being listed in RFC-ignorant (http://www.rfc-ignorant.org/) which would negatively affect the way your email is spam-scored by other sites. Alias them to a real account on Scalix, ditto root as otherwise you might miss important system messages. As far as these accounts being spammed you can afford to filter them more aggressively - perhaps you need to adjust your virus/spam gateway?

[dkelly]

Please be aware that we do not provide any SLAs

What's an "SLA"?

Service Level Agreement. It's a contractual time to first response.

I strongly recommend that you purchase some support incidents.

I use CE. Can one purchase support for CE?

Absolutely you can. If you mail a message to support attt scalix dottt com, you'll get a form to fill in and fax back when you want to make your purchase.

Cheers

Dave