[wplug] Mysterious Mail log entries

Brandon Kuczenski brandon at 301south.net
Mon Jul 18 12:13:37 EDT 2005


I was checking my maillog for an unrelated issue when I came across a 
couple of suspicious log entries (MTA = postfix):

First, an empty 'from' address that appears to be local in origin based 
on the message-id, but I would expect any legitimate mail from my machine 
to have a nonempty from address:

Jul 18 10:52:34 ocean postfix/cleanup[21695]: B67A010382: message-id=<20050718145234.B67A010382 at 301south.net>
Jul 18 10:52:34 ocean postfix/qmgr[295]: B67A010382: from=<>, size=4518, nrcpt=1 (queue active)
Jul 18 10:52:34 ocean postfix/qmgr[295]: 88DF6FDE1: removed
Jul 18 10:52:34 ocean postfix/smtp[21697]: connect to mx0.email.ro[193.226.99.16]: Connection refused (port 25)
Jul 18 10:52:35 ocean postfix/smtp[21697]: connect to mx1.email.ro[193.230.240.30]: Connection refused (port 25)
Jul 18 10:52:35 ocean postfix/smtp[21697]: B67A010382: to=<jackgwen at email.ro>, relay=none, delay=1, status=deferred (connect to mx1.email.ro[193.230.240.30]: Connection refused)
--

.. the message went on to be delivered later:

Jul 18 11:44:07 ocean postfix/smtp[21957]: B67A010382: to=<jackgwen at email.ro>, relay=mx0.email.ro[193.226.99.16], delay=3093, status=sent (250 2.0.0 j6IFnke19245 Message accepted for delivery)
Jul 18 11:44:07 ocean postfix/qmgr[295]: B67A010382: removed


And, while I was scrutinizing that, I came across this:

Jul 18 11:10:44 ocean postfix/smtp[21744]: warning: numeric domain name in resource data of MX record for roswellrevealed.com: 127.0.1.51
Jul 18 11:10:44 ocean postfix/smtp[21744]: connect to 127.0.1.51[127.0.1.51]: Can't assign requested address (port 25)
Jul 18 11:10:44 ocean postfix/smtp[21744]: 8D56B10676: to=<whelans at roswellrevealed.com>, relay=none, delay=1088, status=deferred (connect to 127.0.1.51[127.0.1.51]: Can't assign requested address)

Correct me if I'm wrong, but isn't 127/8 a strictly-internal network? So 
why would my MTA be trying to connect to 127.0.1.51 ?

--
Jul 18 11:44:04 ocean postfix/qmgr[295]: 8D56B10676: from=<>, size=5070, nrcpt=1 (queue active)
Jul 18 11:44:04 ocean postfix/qmgr[295]: D4B7710390: from=<>, size=8161, nrcpt=1 (queue active)
Jul 18 11:44:04 ocean postfix/qmgr[295]: 2FAEC10464: from=<>, size=3629, nrcpt=1 (queue active)
Jul 18 11:44:04 ocean postfix/qmgr[295]: B67A010382: from=<>, size=4518, nrcpt=1 (queue active)
--

Now I see that there are a whole bunch of "from=<>" lines in my log:

# grep -c "from=<>" maillog
536
#

Do I have a bad config?

-Brandon



More information about the wplug mailing list