[SOLVED] 6.0.8 adds strange e-mail addressess in mta

[plamenflo]

Hello

1. Sorry for my bad English;
2. I hope this is the right place for this problem;
3. The problem:

A couple of hours ago i noticed that when i try to send e-mail from user (actually only one is the problematic) there is no send record. When this user is trying to send e-mail to him self - there is no e-mail received. When this user send e-mail to another zimbra user - e-mail is received from antother user but in header - the sender is different from the real one.
More over - if another sender is trying to send e-mail to the problematic one - the sender receive answer that the message can't be sned to ... strange address (usually - live.com or msn.com etc..)

So i look at zimbra.log and see that wen this user send mail postfix try to send e-mail to a couple of users - witch are not in address book of the user or anywhere in zimbra.

This is the piece of zimbra log:

Quote:

Feb 7 13:13:26 mail postfix/smtpd[19706]: connect from mail.mydomain.com[192.168.3.32]
Feb 7 13:13:26 mail postfix/smtpd[19706]: E7B3D2AE1E3: client=mail.mydomain.com[192.168.3.32]
Feb 7 13:13:26 mail postfix/cleanup[19709]: E7B3D2AE1E3: message-id=<266619366.16249.1297077206886.JavaMail.root@ma il>
Feb 7 13:13:26 mail postfix/qmgr[11829]: E7B3D2AE1E3: from=<user1@mydomain.com>, size=683, nrcpt=2 (queue active)
Feb 7 13:13:26 mail postfix/smtpd[19706]: disconnect from mail.mydomain.com[192.168.3.32]
Feb 7 13:13:26 mail amavis[22298]: (22298-07) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20110207T105537-22298: <user1@mydomain.com> -> <giffy22@live.com>,<user1@mydomain.com> SIZE=683 Received: from mail.mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Mon, 7 Feb 2011 13:13:26 +0200 (EET)
Feb 7 13:13:27 mail amavis[22298]: (22298-07) Checking: 6xBC2cYio31i MYNETS [192.168.3.32] <user1@mydomain.com> -> <giffy22@live.com>,<user1@mydomain.com>
Feb 7 13:13:27 mail clamd[10356]: SelfCheck: Database status OK.
Feb 7 13:13:27 mail postfix/smtpd[19713]: connect from localhost[127.0.0.1]
Feb 7 13:13:27 mail postfix/smtpd[19713]: 20CF42AE1F8: client=localhost[127.0.0.1]
Feb 7 13:13:27 mail postfix/cleanup[19709]: 20CF42AE1F8: message-id=<266619366.16249.1297077206886.JavaMail.root@ma il>
Feb 7 13:13:27 mail postfix/smtpd[19713]: disconnect from localhost[127.0.0.1]
Feb 7 13:13:27 mail postfix/qmgr[11829]: 20CF42AE1F8: from=<user1@mydomain.com>, size=1091, nrcpt=1 (queue active)
Feb 7 13:13:27 mail amavis[22298]: (22298-07) FWD via SMTP: <user1@mydomain.com> -> <giffy22@live.com>,BODY=7BIT 250 2.0.0 Ok, id=22298-07, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 20CF42AE1F8
Feb 7 13:13:27 mail postfix/smtpd[19713]: connect from localhost[127.0.0.1]
Feb 7 13:13:27 mail postfix/smtpd[19713]: 246502AE1FA: client=localhost[127.0.0.1]
Feb 7 13:13:27 mail postfix/cleanup[19709]: 246502AE1FA: message-id=<266619366.16249.1297077206886.JavaMail.root@ma il>
Feb 7 13:13:27 mail postfix/smtpd[19713]: disconnect from localhost[127.0.0.1]
Feb 7 13:13:27 mail postfix/qmgr[11829]: 246502AE1FA: from=<user1@mydomain.com>, size=1312, nrcpt=1 (queue active)
Feb 7 13:13:27 mail amavis[22298]: (22298-07) FWD via SMTP: <user1@mydomain.com> -> <user1@mydomain.com>,BODY=7BIT 250 2.0.0 Ok, id=22298-07, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 246502AE1FA
Feb 7 13:13:27 mail amavis[22298]: (22298-07) Passed CLEAN, MYNETS LOCAL [192.168.3.32] [192.168.3.32] <user1@mydomain.com> -> <giffy22@live.com>,<user1@mydomain.com>, Message-ID: <266619366.16249.1297077206886.JavaMail.root@mail> , mail_id: 6xBC2cYio31i, Hits: -2.9, size: 683, queued_as: 20CF42AE1F8/246502AE1FA, 186 ms
Feb 7 13:13:27 mail postfix/smtp[19710]: E7B3D2AE1E3: to=<giffy22@live.com>, orig_to=<user1@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.02/0/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=22298-07, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 20CF42AE1F8)
Feb 7 13:13:27 mail postfix/smtp[19710]: E7B3D2AE1E3: to=<user1@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.02/0/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=22298-07, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 20CF42AE1F8)
Feb 7 13:13:27 mail postfix/qmgr[11829]: E7B3D2AE1E3: removed
Feb 7 13:13:27 mail postfix/lmtp[19715]: 246502AE1FA: to=<user1@mydomain.com>, relay=mail.mydomain.com[192.168.3.32]:7025, delay=0.06, delays=0/0/0/0.05, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Feb 7 13:13:27 mail postfix/qmgr[11829]: 246502AE1FA: removed
Feb 7 13:13:28 mail postfix/smtp[19714]: 20CF42AE1F8: to=<giffy22@live.com>, relay=mx1.hotmail.com[65.55.92.136]:25, delay=1.7, delays=0.01/0/1.5/0.22, dsn=5.0.0, status=bounced (host mx1.hotmail.com[65.55.92.136] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))
Feb 7 13:13:29 mail postfix/cleanup[19709]: 0A1192AE1FA: message-id=<20110207111329.0A1192AE1FA@mail.mydomain.com>
Feb 7 13:13:29 mail postfix/bounce[19717]: 20CF42AE1F8: sender non-delivery notification: 0A1192AE1FA
Feb 7 13:13:29 mail postfix/qmgr[11829]: 0A1192AE1FA: from=<>, size=3104, nrcpt=2 (queue active)
Feb 7 13:13:29 mail postfix/qmgr[11829]: 20CF42AE1F8: removed
Feb 7 13:13:29 mail postfix/lmtp[19715]: 0A1192AE1FA: to=<user1@mydomain.com>, relay=mail.mydomain.com[192.168.3.32]:7025, delay=0.07, delays=0.01/0/0/0.05, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Feb 7 13:13:29 mail postfix/smtp[19714]: 0A1192AE1FA: to=<giffy22@live.com>, orig_to=<user1@mydomain.com>, relay=mx3.hotmail.com[65.55.92.152]:25, delay=0.73, delays=0.01/0/0.49/0.22, dsn=5.0.0, status=bounced (host mx3.hotmail.com[65.55.92.152] said: 550 Requested action not taken: mailbox unavailable (in reply to RCPT TO command))

I can't understand why:

Quote:

Feb 7 13:13:27 mail amavis[22298]: (22298-07) Passed CLEAN, MYNETS LOCAL [192.168.3.32] [192.168.3.32] <user1@mydomain.com> -> <giffy22@live.com>,<user1@mydomain.com>, Message-ID: <266619366.16249.1297077206886.JavaMail.root@mail> , mail_id: 6xBC2cYio31i, Hits: -2.9, size: 683, queued_as: 20CF42AE1F8/246502AE1FA, 186 ms

In this case the only thing I can do is to disable this zimbra account?

Can anyone to give me some ideas?

10x in advance!

P.S. - at the moment I see this situation with more than 100 additional recipients added automatically too.

[plamenflo]

After few hours of mystery I found that there is a forward rule in problematic user zimbra account.
I can't imagine how this rule is stored in the account???

Does anybody has suggestion?

[plamenflo]

the second thing i found was that somehow was changed all primary account settings

perhaps this user has compromised password (changed now).

So let say - the case is closed (may be)....

[phoenix]

Quote:

Originally Posted by plamenflo

After few hours of mystery I found that there is a forward rule in problematic user zimbra account.
I can't imagine how this rule is stored in the account???

That is symptomatic of a hacked account (have a search through the forums for details). I'd also suggest you upgrade to the most recent version of Zimbra: ZCS 6.0.9 and 5.0.25 Generally Available and OpenSSL Advisory

[plamenflo]

Quote:

Originally Posted by phoenix

That is symptomatic of a hacked account (have a search through the forums for details). I'd also suggest you upgrade to the most recent version of Zimbra: ZCS 6.0.9 and 5.0.25 Generally Available and OpenSSL Advisory

Is it better to upgrade to 6.0.10 or wait for 7.0?

[phoenix]

Quote:

Originally Posted by plamenflo

Is it better to upgrade to 6.0.10 or wait for 7.0?

Zimbra 7 has been released, it was announced yesterday: Zimbra 7 Is Generally Available

You may, however, want to wait a short while as there's a nasty bug. It doesn't affect everyone but keep your eyes on these:

http://www.zimbra.com/forums/install...ual-hosts.html
https://bugzilla.zimbra.com/show_bug.cgi?id=55541