CSF warning email localrelay Local account - mail

rwzdoorn

Verified User
Joined
Jun 2, 2015
Messages
18
Hi,

Not sure if this is the correct section of the forum, but I'm seeing strange activity with our CSF / emails. We are receiving hourly this kind of warnings as a service email

Time: Thu Mar 4 09:51:06 2021 +0100
Type: LOCALRELAY, Local Account - mail
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2021-03-04 09:01:02 1lHius-0002Nd-4A <= <> R=1lHiur-0002NI-Sw U=mail P=local S=2558 T="Mail delivery failed: returning message to sender" from <> for [email protected]
...

What does this means? Is something sending us e-mails, or is our vps sending mails? The email adres mentioned above is not a self created email adres and we can't access it. I already checked the Email Queue but it's empty.

Does anyone know what's happening?

Thanks in advance!
 
There should be more in log files why rejected and so on.

"Newer" VPS from hoster or basic image there.
Or even a migration backup and restore?

Sometimes i have such experience or your's or other hasn't changed settings to their own (hostname ,mailsettings and so on).

That is with example: vps123.hoster.com their was then the DA image builded, but then after that same image and basic settings also used for vps124.hoster.com. Or even wen cuh vps123. is again used somewhere or testbox.


Only pointing out our own experience in the past here.

But there must be more in log files , why reject and sender ip / names and so on.

Can't help further but for support here you need more info.

Version used, OS used and some basic settings you have.

If it are you own csf mails, look at settngs for those and in manual howto and docs.
Also limits for mailusers then.
 
Problem probably solved,

A cronjob was doing tasks every hour which caused some 'spamming' on the server. I checked crontab and removed the crontasks for now. I checked EXIM logfiles (vi /var/log/exim/mainlog) and saw the script and mail delivery failed error.
 
Removed crontasks? That seems not the correct solution to me.
What does this means? Is something sending us e-mails, or is our vps sending mails?
To me this looks your server is sending you mails. The [email protected] is the default root email address for the system.

Suggessted good solution:
1.) Put the crontasks back in place as they were
2.) Go to /etc/aliases and at the bottom create a forwarder for root like:
root: [email protected]
Then just to be sure and get it working, give the following commands
Code:
newaliases
service exim restart

If new emails will be generated they will be send to your email address now.

I think it's CSF sending you mail. If you do not want that, you can disable that in csf.conf but I would at least first have a look at them.
 
Back
Top