Many email messages are sent from PHP scripts on a Plesk server. How to find domains on which these scripts are running if Postfix is used?

Follow

Comments

10 comments

  • Avatar
    Witawat Piyarattanavong (Edited )

    i not see data in mail.send 

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Witawat,

    In case the provided steps were done correctly, the cause of such behavior is that there were no messages sent by a script.

    0
    Comment actions Permalink
  • Avatar
    Bjorn Joosen (Edited )

    Followed steps 1-4, send multiple mails through phpmailer, mail.send stays empty.
    Need a solution to monitor ALL outgoing mail..

    Plesk 17.8.11 Update #38
    Postfix 2.10.1

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    @Bjorn, the method from this article works in case mail sent through mail() function which uses /usr/bin/sendmail binary (on Plesk it is link to Postfix). phpmailer has own SMTP server implementation by PHP code, it does not use mail server installed on OS, thus it is not possible to track such messages.

    The only way is to block all mail that goes not through Postfix by iptables (see additional information section).

    0
    Comment actions Permalink
  • Avatar
    Bjorn Joosen

    @Anton, Thanks for your quick reply, I opened a forum post: https://talk.plesk.com/threads/microsoft-mail-servers-keep-blacklisting-server-ip.351225/

    0
    Comment actions Permalink
  • Avatar
    Justin Lnch (Edited )

    I set this up but when I do a test from Joomla on Centos to use Sendmail as the mailer nothing shows in the log and I receive the email.

    My sendmail points here
    /usr/sbin/sendmail -> /etc/alternatives/mta

    But I do see this
    /usr/sbin/sendmail.postfix -> /usr/sbin/sendmail.postfix-wrapper
    /usr/sbin/sendmail.postfix-bin -> /usr/lib64/plesk-9.0/sendmail/sendmail.postfix

    I get this when checking alternatives
    # alternatives --display mta |grep sendmail
    link currently points to /usr/lib64/plesk-9.0/postfix-sendmail-wrapper
    /usr/sbin/sendmail.postfix - priority 30
    slave mta-sendmail: /usr/lib/sendmail.postfix
    slave mta-sendmailman: /usr/share/man/man1/sendmail.postfix.1.gz
    /usr/lib64/plesk-9.0/postfix-sendmail-wrapper - priority 90
    slave mta-sendmail: /usr/lib64/plesk-9.0/postfix-sendmail-wrapper
    slave mta-sendmailman: /usr/share/man/man1/sendmail.postfix.1.gz
    Current `best' version is /usr/lib64/plesk-9.0/postfix-sendmail-wrapper.

    Any ideas?

    1
    Comment actions Permalink
  • Avatar
    Anton Maslov

    Justin if message goes using Plesk server you should see entries in /var/log/maillog. I suggest to do this:

    1. Monitor log in real time:

    tail -fn0 /var/log/maillog

    2. Send message, you should see entries in maillog for any possible errors in attempt to save to /var/tmp/mail.send

    0
    Comment actions Permalink
  • Avatar
    Fouad Ahmed Fouad

    I think there should be a more easier way to fix this! there is no script or command to find out directly what mailbox sent many mails outgoing?

    0
    Comment actions Permalink
  • Avatar
    Mikhail Shport

    Hello Fouad Ahmed Fouad,

    Such scripts usually do not use the domain straightforwardly. Once a malicious script gets to a server it might send messages based on its own logic, besides the location. So, it is needed to perform the described operations to catch the events properly.

    0
    Comment actions Permalink
  • Avatar
    Emmanuel Delgado

    Hello everyone.

    I manage a server with Plesk 18.0.44 Update 3 on
    Ubuntu 20.04.4 LTS
    Intel(R) Xeon(R) E-2356G CPU @ 3.20GHz (12 core(s)) and 32 GB RAM

    There are 33 domains and 300 email accounts registered on the server.

    I have made the solution to check the SPAM because our IP is blocked at least once a week and this is the result:

    ---------------------
    root@server2:~# zgrep -h 'sasl_method' /var/log/maillog* | cut -d' ' -f9 | cut -d= -f2 | sort | uniq -c | sort -nr
        3798 DIGEST-MD5,
         740CRAM-MD5,
         233 PLAIN,
          51 login,

    root@server2:~# zgrep -c 'sasl_method=LOGIN' /var/log/maillog*
    /var/log/maillog:0
    /var/log/maillog.processed:0
    /var/log/maillog.processed.1.gz:0
    /var/log/maillog.processed.2.gz:0
    /var/log/maillog.processed.3.gz:0
    --------------------------

    I was wondering if this is normal?

     

    Best Regards

    Emmanuel D

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request