Scott Race wrote:

Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so...

So, assuming you are also blocking port 25 connects from the local host via the loopback interface, you are blocking Mailman's connects to Postfix, thus preventing Mailman from connecting to Postfix and the resultant sending from Postfix of whatever Mailman is sending.

Take a look at Mailman's queues, particularly virgin, out and retry to see what's there. Use Mailman's bin/dumpdb to see an individual entry's message and metadata or bin/show_quefiles to see one or more entries' messages.

[...]

At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!!

I suspect the actual network traffic is coming from Postfix sending the stuff that Mailman is delivering to it. The question is what is Mailman doing. Check the queues as above and also Mailman's smtp and perhaps other logs.

-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

On 11/24/2010 11:16 AM, Scott Race wrote:

Thanks for the reply.

So it sounds like my iptables rule:

iptables -A INPUT -p tcp --dport 25 -j REJECT

also blocks outbound mail too. Is there a preferred way to secure mailman SMTP traffic with iptables? In our case, we would just need an inbound filter that only accepts mail from a few hosts, I thought this would do it, but mailman wouldn't send mail with rules like this:

# accept mail from two hosts, drop the rest iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j REJECT

I can't really answer that without knowing much more detail about your Mailman/Barracuda/Postfix configuration, but by default, Mailman delivers output (all list posts and other messages FROM Mailman) via SMTP to the MTA listening on localhost port 25 (127.0.0.1:25). If you reject packets with addressed to port 25, Mailman won't be able to deliver anything. Every message in the out/ queue will result in a connection refused upon attempted delivery and will be logged in Mailman's smtp-failure log and put in the retry/ queue to be retried at intervals of DELIVERY_RETRY_WAIT (default 1 hour) for a total time of DELIVERY_RETRY_PERIOD (default 5 days).

Accepting port 25 connects from 192.168.1.245 and 192.168.1.246 probably won't help at all with Mailman's outgoing delivery as those connects come from localhost (127.0.0.1).

As far as delivery of Mail to Mailman is concerned, this mail is queued by Postfix in Mailman's queues so it gets to the Barracuda appliance somehow which then delivers it to Postfix on some port other than 25 and Postfix either pipes it to Mailman's mail wrapper based on aliases or perhaps via some script like postfix_to_mailman.py depending on how Postfix is configured, and Mailman's Mail wrapper queues the message for Mailman.

If you want to secure all SMTP traffic, I suggest you set up a separate SMTP listener in Postfix on some unused port and tell Mailman to deliver to that port by setting SMTPPORT in mm_cfg.py. Then you can block port 25 with iptables or just configure Postfix to not listen on port 25 at all.

-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Was scrolling through the maillog just now, nothing out of the ordinary other than list traffic that I can tell.

So no, all inbound mail comes to the Barracuda, gets cleaned and sent to the Mailman server. Each day about 600 inbound junk mails get blocked and around 50 legit emails. It is hosting just lists only, no other inbound or outbound mail. Outbound does get sent directly out the Postfix and is not sent through any smart host.

Good question on the verifying recipients - not quite sure the exact answer - I think the mailman server is processing bounces because I'll see bounced emails in the log to "johnsmith@lists.mydomain.com does not exist". So invalid recipients do seem to hit the Mailman server. Maybe filtering recipients at the Barrcuda could help?

On the note of the traffic - today everything is fine. Not sure why for 5 days it was consuming the pipe, but have not found any indication of an open relay or malicious intent. We did throttle back the simulaneous connections, maybe that will help a bit.

My Postfix maillog shows a ton of these:

(lost connection with spool.santarosa.org[216.222.240.7] while sending end of data -- message may be sent more than once)

and

(conversation with mail.laguna-hills.ca.us[68.203.215.26] timed out while sending end of data -- message may be sent more than once)

11,968 matches of (lost connection) and 9202 matches of (conversation with) in a log file covering 4 days (Nov 21 01:18 - Nov 24 9:07).

One thing that did change was the internal DNS servers on the network, I almost have to assume it has to do with that.....

-----Original Message----- From: Andrew Hodgson [mailto:andrew@hodgsonfamily.org] Sent: Wednesday, November 24, 2010 10:34 AM To: Scott Race; mailman-users@python.org Subject: RE: [Mailman-Users] Mailman server consuming entire Internet pipe (dual T1)

Scott Race wrote:

[...]

I've done some basic testing for open relays, so far I have not found anything indicating it's an open relay. Packet sniffing shows connections >from a number of IP addresses to the Mailman server. Outside test shows the hostname is not an open relay, and I can't telnet on port 25 with >standard HELO command. All internal mail comes to a Barrucuda spam filter unit.

/usr/local/mailman/logs/post shows 19 posts today to the various lists.

The Postfix logs would be of more benefit I think here, as well as the mail queue.

You say you route mails through a Barracuda host, do you allow traffic directly into this machine on port 25 externally? Is this machine hosting lists only, and if so, how is the Barracuda/Postfix server verifying recipients as early as possible (in case the domain is receiving large amounts of bounced mail and is rejecting with a full NDR and not a bounce at SMTP stage? Does outbound mail get delivered direct from Postfix or are you smarthosting to the Barracuda?

Thanks. Andrew.

Scott Race wrote:

In going through some security procedures yesterday, we decided to change our list passwords on all our lists.

The new password works, as does the old one still. Restarting mailmanctl process does not fix.

If the list shared the old password with the site password, then using the old password (i.e, the site password) will get you past most password prompts in Mailman.

http://wiki.list.org/pages/viewpage.action?pageId=4030543

Andrew.