MailCleaner Support

You have been blacklisted and you want to know why.

The first thing to check is for an unusual amount of activity from a specific sender. The easiest way to search the logs is using Management->Tracing and all relayed messages will appear with that as the Arrival Status.

However, this has a couple of limitations. First of all, it does not provide an very brief count, so it could require going through several pages before you find the unusual behaviour. Second, it is only searchable for domains that you have actually configured. If you allow relaying from other domains with Configuration->SMTP->Connection Control->"Allow relaying from unknown domains", then messages from these other domains will be unsearchable in the web.

Attached to this article is a script called relay_summary.pl which can be used to get simple counts for relayed messages. This script is likely to be included in MailCleaner in the near future. Until then, you can copy it to your appliance, then make it executable with:

chmod +x /path/to/relay_summary.pl

Then run the script:

/path/to/relay_summary.pl

The script requires a module for opening Gzip files (older log files). So you will be instructed to install this if it is not currently. Running the script without options will provide counts for each unique outbound sender. You can use the --help option to get more options for additional output or filtering.

If you do not want to use this script you can use the old advice at the bottom of this article. One reason to do this is that the script can only ever show a number of days from today and provides a sum of all transactions in that time. The old advice lets you search through specific daily log files.

You should make sure the behaviour you see is all as expected wanted. If it is not, please change the password for the concerned user : his account was probably compromised and is used to relay spams.

If the relaying is allowed by IP, you can temporarily block the sender, if necessary from :

Configuration -> SMTP -> Connection Control->Reject these senders addresses

If the relaying is authenticated, you can temporarily block the sender with:

Configuration -> SMTP -> Connection Control->Reject these authenticated users

In either case, it is likely that the user's credentials will need to be reset from the authentication server if the account is compromised.

If the source wasnt here, please check how you configured :

Configuration->SMTP->Connection control -> Allow external relaying for these hosts and Allow relaying from unknown domains

Also verify if all domains using:

Configuration->Domains-> -> Outgoing relay -> Allow users to use SMTP authentication

all require to be relayed via MailCleaner. Usually a domain will be relayed by its own mail server (the one usually used as destination server for the domain).

Old log search advice:

To search all messages from one of your internal domains which has been relayed, you can use:

grep -P "<= [^\ ]*@($(cat /var/mailcleaner/spool/tmp/mailcleaner/domains.list | cut -d: -f1 | tr '\n' '|' | sed 's/|$//')) " /var/mailcleaner/log/exim_stage1/mainlog | cut -d ' ' -f 5 | sort | uniq -c

Similar to the commandline in in the article above, this requires zgrep for the older gzipped files or the following for all of the gzipped files.

zgrep -P "<= [^\ ]*@($(cat /var/mailcleaner/spool/tmp/mailcleaner/domains.list | cut -d: -f1 | tr '\n' '|' | sed 's/|$//')) " /var/mailcleaner/log/exim_stage1/mainlog.*.gz | cut -d ' ' -f 5 | sort | uniq -c