SMTP(postfix) taking too much memory and always 35/45 instance running

August 31, 2016 1.6k views
Nginx PHP Ubuntu

Hello,
suddenly from yesterday SMTP(Postfix) start eating too much memory(like 100mb) and always i find 34/45 instance running. now i dont understand is my server sending outgoing spam? also my mail.log file became 1 gb large.

i tried to sudo tail /var/log/mail.log and found following

Aug 31 18:53:35 mydomain postfix/qmgr[1400]: 9B6B46D76C: removed
Aug 31 18:53:35 mydomain postfix/local[9135]: 11AEC63CA3: to=<jenny_harrison@mydomain.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=5.1.1, status=bounced (unknown user: "jenny_harrison")
Aug 31 18:53:35 mydomain postfix/qmgr[1400]: 11AEC63CA3: removed
Aug 31 18:53:35 mydomain postfix/smtp[11526]: 5CCAC6C39E: to=<odorter@gmail.com>, relay=alt1.gmail-smtp-in.l.google.com[74.125.200.27]:25, delay=75963, delays=75930/0/32/1.3, dsn=4.2.2, status=deferred (host alt1.gmail-smtp-in.l.google.com[74.125.200.27] said: 452-4.2.2 The email account that you tried to reach is over quota. Please direct 452-4.2.2 the recipient to 452 4.2.2 https://support.google.com/mail/answer/6558 g64si874062otb.161 - gsmtp (in reply to RCPT TO command))
Aug 31 18:53:36 mydomain postfix/smtp[11827]: connect to mail.virginbroadband.com.au[123.200.191.12]:25: Connection timed out
Aug 31 18:53:36 mydomain postfix/smtp[11827]: 3811C660A5: to=<wombat.burrow@virginbroadband.com.au>, relay=none, delay=336438, delays=336405/0.01/33/0, dsn=4.4.1, status=deferred (connect to mail.virginbroadband.com.au[123.200.191.12]:25: Connection timed out)
Aug 31 18:53:36 mydomain postfix/smtp[11736]: connect to mail.virginbroadband.com.au[123.200.191.12]:25: Connection timed out
Aug 31 18:53:36 mydomain postfix/smtp[11736]: E13D26C553: to=<tony007@virginbroadband.com.au>, relay=none, delay=71843, delays=71810/0.01/33/0, dsn=4.4.1, status=deferred (connect to mail.virginbroadband.com.au[123.200.191.12]:25: Connection timed out)
Aug 31 18:53:39 mydomain postfix/smtp[11731]: 0EC556AA5D: to=<stumpj@verizon.net>, relay=relay.verizon.net[206.46.232.11]:25, delay=143372, delays=143333/0.01/34/4.5, dsn=2.5.0, status=sent (250 2.5.0 Ok.)
Aug 31 18:53:39 mydomain postfix/qmgr[1400]: 0EC556AA5D: removed
1 comment
  • I think my droplets been compromised and sending out spam via postfix. can anybody help me how can i stop from sending outgoing emails???

1 Answer

If your Droplet is compromised, it is recommended to block outgoing mail ports using a firewall (ufw, iptables) like so:

ufw deny out 25
ufw deny out 587

# or

iptables -A OUTPUT -p tcp --dport 25 -j REJECT
iptables -A OUTPUT -p tcp --dport 587 -j REJECT

Then, back up all of your data, create a new Droplet, and move your programs and files to it. Make sure you only transfer files that you know you created, and install any software that you had from scratch. This will hopefully result in a new Droplet free of any compromised files. Make sure you secure the new Droplet, see:

by Justin Ellingwood
When setting up infrastructure, getting your applications up and running will often be your primary concern. However, making your applications to function correctly without addressing the security needs of your infrastructure could have devastating consequences down the...
Have another answer? Share your knowledge.