[wplug] Mysterious Mail log entries

Mon Jul 18 12:28:22 EDT 2005

On 7/18/05, Brandon Kuczenski <brandon at 301south.net> wrote:
> I was checking my maillog for an unrelated issue when I came across a
> couple of suspicious log entries (MTA = postfix):
> 
> First, an empty 'from' address that appears to be local in origin based
> on the message-id, but I would expect any legitimate mail from my machine
> to have a nonempty from address:
> 
> Jul 18 10:52:34 ocean postfix/cleanup[21695]: B67A010382: message-id=<20050718145234.B67A010382 at 301south.net>
> Jul 18 10:52:34 ocean postfix/qmgr[295]: B67A010382: from=<>, size=4518, nrcpt=1 (queue active)
> Jul 18 10:52:34 ocean postfix/qmgr[295]: 88DF6FDE1: removed
> Jul 18 10:52:34 ocean postfix/smtp[21697]: connect to mx0.email.ro[193.226.99.16]: Connection refused (port 25)
> Jul 18 10:52:35 ocean postfix/smtp[21697]: connect to mx1.email.ro[193.230.240.30]: Connection refused (port 25)
> Jul 18 10:52:35 ocean postfix/smtp[21697]: B67A010382: to=<jackgwen at email.ro>, relay=none, delay=1, status=deferred (connect to mx1.email.ro[193.230.240.30]: Connection refused)
> --
> 
> .. the message went on to be delivered later:
> 
> Jul 18 11:44:07 ocean postfix/smtp[21957]: B67A010382: to=<jackgwen at email.ro>, relay=mx0.email.ro[193.226.99.16], delay=3093, status=sent (250 2.0.0 j6IFnke19245 Message accepted for delivery)
> Jul 18 11:44:07 ocean postfix/qmgr[295]: B67A010382: removed
> 
> 
> And, while I was scrutinizing that, I came across this:
> 
> Jul 18 11:10:44 ocean postfix/smtp[21744]: warning: numeric domain name in resource data of MX record for roswellrevealed.com: 127.0.1.51
> Jul 18 11:10:44 ocean postfix/smtp[21744]: connect to 127.0.1.51[127.0.1.51]: Can't assign requested address (port 25)
> Jul 18 11:10:44 ocean postfix/smtp[21744]: 8D56B10676: to=<whelans at roswellrevealed.com>, relay=none, delay=1088, status=deferred (connect to 127.0.1.51[127.0.1.51]: Can't assign requested address)
> 
> Correct me if I'm wrong, but isn't 127/8 a strictly-internal network? So
> why would my MTA be trying to connect to 127.0.1.51 ?
> 
> --
> Jul 18 11:44:04 ocean postfix/qmgr[295]: 8D56B10676: from=<>, size=5070, nrcpt=1 (queue active)
> Jul 18 11:44:04 ocean postfix/qmgr[295]: D4B7710390: from=<>, size=8161, nrcpt=1 (queue active)
> Jul 18 11:44:04 ocean postfix/qmgr[295]: 2FAEC10464: from=<>, size=3629, nrcpt=1 (queue active)
> Jul 18 11:44:04 ocean postfix/qmgr[295]: B67A010382: from=<>, size=4518, nrcpt=1 (queue active)
> --
> 
> Now I see that there are a whole bunch of "from=<>" lines in my log:
> 
> # grep -c "from=<>" maillog
> 536
> #
> 
> Do I have a bad config?
> 

I am not familiar with postfix but I am going to guess that messages
with the "from=<>" are bounce messages that postfix is generating.  If
so, don't worry about them.  You will probably have a lot of those in
your log.

Here is an example from my qmail log.

...
@4000000042dbd77f1ce1073c info msg 1813: bytes 3743 from <> qp 18567 uid 1007
@4000000042dbd77f22f8d3d4 starting delivery 51668: msg 1807 to local
log at mail.itsconnect.com
@4000000042dbd77f22f8fecc status: local 4/10 remote 0/50
@4000000042dbd77f22f91254 starting delivery 51669: msg 1813 to remote
bio65plhzx at cortland.com
@4000000042dbd77f22f92dac status: local 4/10 remote 1/50
...

So qmail is sending a bounce to bio65plhzx at cortland.com.  Most likely
that is spam going to a non existing user and qmail is send the
typical "this user doesn't have a mailbox" message.  The other line in
there is our email log.  The SEC makes use log ALL incoming and
outgoing email messages.

Hope this helps,

Chris