# mail server errors

## carpman

Hello, i am finding the following errors repeated in logs a lot, any ideas what it is about?

```

Sep  5 15:57:12 mailserv postfix/smtpd[11567]: connect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 15:57:12 mailserv postfix/smtpd[11567]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <ubpamsden@zf??Ja???h]?+o*7??????????Z???->

Sep  5 15:57:12 mailserv postfix/smtpd[11567]: disconnect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 15:57:16 mailserv postfix/smtpd[11567]: connect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 15:57:16 mailserv postfix/smtpd[11567]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

```

I am thinking that it is someone sending email with incorrect address but there is nothing in postfix que and not sure how to track down where error is coming from!

any ideas?

many thanks

----------

## erik258

I have never seen these type of errors from postfix, but...

```
Sep  5 15:57:16 mailserv postfix/smtpd[11567]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.> 
```

I think the problem is that you are sending improperly specifying the recipient.  djmag@. is not a valid address.  If you have meant to auto-fill the domain, you may have to reconfiure postfix a little.

----------

## bunder

could also be possible your mail server is trying to relay spam...  probably not, but certainly possible.

----------

## erik258

 *Quote:*   

> could also be possible your mail server is trying to relay spam... probably not, but certainly possible.

 

yes, this is possible.  postfix by default will only send email 

 - from anywhere to specified mail domains

 - from specified mail domains to anywhere

and certainly not

 - from anywhere to anywhere through this host (called 'open relay').  

furthermore I am hoping that you have a firewall up if you are offering public services like an email server (even if it is only for your mail).  A firewall is an important way to make sure 127.0.0.1 is only accessible from the local host.  

but 127.0.0.1 is a reserved address, and there is no reason traffic to this address should ever even be routed to you thorugh the internet.  from http://tools.ietf.org/html/rfc3330 :

 *RFC3330 wrote:*   

>    127.0.0.0/8 - This block is assigned for use as the Internet host
> 
>    loopback address.  A datagram sent by a higher level protocol to an
> 
>    address anywhere within this block should loop back inside the host.
> ...

 

therefore its unlikely that this constitutes a security concern, although that's a pretty good thing to be concerned about anyway ; )

----------

## carpman

hi and thanks for replies. This is office mail server that collects (fetchmail) from main MX server processes for spam/virus and distributes to local office users and remote users via IMAP.

Server is behind firewall.

Mail server is setup only to allow authenticated users via SSl.

Just wondering if a users machine is infected and trying to send out spam? they should all be using thunderbird but i have no control over remote users.

Any ideas how i track down where this coming from, logs don't give any useful info?

cheers

----------

## bunder

 *erik258 wrote:*   

> but 127.0.0.1 is a reserved address, and there is no reason traffic to this address should ever even be routed to you thorugh the internet.

 

my postfix sends stuff to loopback for amavisd(clamav)+spamassassin filtering, then back into postfix.  the logs could also be reporting a similar type of processing.

----------

## erik258

 *Quote:*   

> 
> 
> my postfix sends stuff to loopback for amavisd(clamav)+spamassassin filtering, then back into postfix. the logs could also be reporting a similar type of processing.

 

yeah, no doubt, but it doesn't originally receive the messages from external hosts on the loopback interface.  that is, this message doesn't tell you enough information to know that.

on my postfix server, there are 2 log files, one for errors and one for status info.  If the message has gotten through to localhost, it must have successfully been received by the mail server already.  check /var/log/mail.log rather than mail.err (I don't think I customized these things) for entries from the same time.

----------

## carpman

hi and thanks for replies, the /var/logs/mail.log is full of errors occurring continually, filter log for djmag and get following repeated

```

Sep  5 18:55:27 mailserv postfix/smtpd[13870]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 18:55:32 mailserv postfix/smtpd[13870]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 18:58:03 mailserv postfix/smtpd[13893]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 18:58:07 mailserv postfix/smtpd[13893]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 19:00:44 mailserv postfix/smtpd[13937]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 19:00:48 mailserv postfix/smtpd[13937]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 19:03:20 mailserv postfix/smtpd[13940]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 19:03:24 mailserv postfix/smtpd[13940]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 19:05:56 mailserv postfix/smtpd[13943]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 19:06:01 mailserv postfix/smtpd[13943]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

```

cheers

----------

## erik258

can you show us the complete context of any one of those messages please?

----------

## carpman

 *erik258 wrote:*   

> can you show us the complete context of any one of those messages please?

 

not sure what you mean?

this is all there is logs?

If you mean with out filter these are lines from logs not filtered, these are latest i have just changed domain name.

```

Sep  5 20:27:24 mailserv postfix/smtpd[14527]: initializing the server-side TLS engine

Sep  5 20:27:24 mailserv postfix/smtpd[14527]: connect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:27:24 mailserv postfix/smtpd[14527]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <ubpamsden@zf??Ja???h]?+o*7??????????Z???->

Sep  5 20:27:24 mailserv postfix/smtpd[14527]: disconnect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:27:28 mailserv postfix/smtpd[14527]: connect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:27:28 mailserv postfix/smtpd[14527]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 20:27:28 mailserv postfix/smtpd[14527]: disconnect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:27:31 mailserv postfix/smtpd[14527]: connect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:27:31 mailserv postfix/smtpd[14527]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 20:27:31 mailserv postfix/smtpd[14527]: disconnect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:29:51 mailserv postfix/smtpd[14532]: initializing the server-side TLS engine

Sep  5 20:29:51 mailserv postfix/smtpd[14532]: connect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:29:51 mailserv postfix/smtpd[14532]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <ubpamsden@zf??Ja???h]?+o*7??????????Z???->

Sep  5 20:29:51 mailserv postfix/smtpd[14532]: disconnect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:29:54 mailserv postfix/smtpd[14532]: connect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:29:54 mailserv postfix/smtpd[14532]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 20:29:54 mailserv postfix/smtpd[14532]: disconnect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:29:57 mailserv postfix/smtpd[14532]: connect from mailserv.domain.co.uk[127.0.0.1]

Sep  5 20:29:57 mailserv postfix/smtpd[14532]: warning: Illegal address syntax from mailserv.domain.co.uk[127.0.0.1] in MAIL command: <djmag@.>

Sep  5 20:29:57 mailserv postfix/smtpd[14532]: disconnect from mailserv.domain.co.uk[127.0.0.1]
```

----------

## bunder

i'd be willing to bet your server is being spammed by some jackass who is making the server think you're sending them... most likely by dns and faked helo's.

cheers

----------

## erik258

perhaps you can increase the verbosity of postfix temporarily?

edit:

or experiment with bouncing or dropping invalid emails from the outside?

----------

## carpman

Hello, ok will bump logging level to 3 and see what it looks like in the morning.

----------

## carpman

Ok set postfix logging to 4 and am not getting any more detailed info on errors, so tried find the string in user dir:

```

find /home -type f -print0 | xargs -r0 grep -F 'djmag@.'

grep: /home/dean/.maildir/courierimapkeywords/.3963589.1189076382.8176_0.mailserv: No such file or directory

find: `/home/s.williams/.maildir/spamassassin.lock': No such file or directory

grep: /home/lee.s/.maildir/.Trash/courierimapkeywords/.3963591.1189077286.M532358P8505V000000000000080AI00021485_2.mailserv,S=7451:                          No such file or directory

```

These files don't exist?

----------

## erik258

I can never find emails either.  I have, but it seems as if .maildir is never easy to search.

from http://www.postfix.org/DEBUG_README.html

 *Quote:*   

> Verbose logging for specific SMTP connections
> 
> In /etc/postfix/main.cf, list the remote site name or address in the debug_peer_list parameter. For example, in order to make the software log a lot of information to the syslog daemon for connections from or to the loopback interface:
> 
> ```
> ...

 

have you set your debug peer list to include the connection from whoever's injecting those messages into your system, intentionally or not?

I think I would use this:

 *Quote:*   

> What trouble to report to the postmaster
> 
> You should set up a postmaster alias that points to a human person. This alias is required to exist, so that people can report mail delivery problems.
> 
> The Postfix system itself also reports problems to the postmaster alias. You may not be interested in all types of trouble reports, so this reporting mechanism is configurable. The default is to report only serious problems (resource, software) to postmaster:
> ...

 

----------

