Postfix sending a lot of real spams

I have a Virtualmin installation with 2+ years that’s continuously updated, hundreds of mailboxes, large volume of sending mails (and an excellent reputation with this server particularly).

But today Postfix starts to send a lot of spam and I can’t find the cause. I stopped Postfix temporarily, but I would like to know if there are instructions somewhere to help me find out the cause.

The spams are being sent with a different domain, with an external client IP in header. Can I configure Postfix to not send emails with different domains in “from:” or using non-existent accounts?

Thanks in advance!

Howdy,

It sounds like you have an example of one of these spam messages handy… is there any chance you could post the headers for that message here? That should contain the info we’d need to determine what’s generating those emails.

-Eric

Sure! Here it is:

Received from gyn-PC (unknown [186.218.179.148]) by mail.******.com (Postfix) with ESMTPSA id 4DA81225A8; Tue, 16 Sep 2014 23:41:15 -0300 (BRT)

From “res…” <terraproduto@online.com.br>

Subject esta ai

To “res…” <terraproduto@online.com.br>

Content-Type multipart/alternative; boundary="----=_NextPart_6D7_6777_67470707.7636F6D0"

MIME-Version 1.0

Reply-To accounts@passport.com

Date Tue, 16 Sep 2014 23:40:16 -0300

Message-Id <20140916234016EC7F08CABB$D21D2C0D0D@GYNPC>

Status N


Andrey, this IP 186.218.179.148 is not my server’s IP and this email address terraproduto[at]online.com.br is not in a domain configured in our Virtualmin

I searched across the Postfix configurations, but I can’t find where it is possible to allow only specific domains or to block non-existent accounts.

Howdy,

Hmm, that is an unusual one. Users shouldn’t be able to relay email through your server unless they authenticate.

Now, you could always block that one IP… you could do that with a firewall, or by running:

route add -host 186.218.179.148 reject

However, I’d be curious what the output of “postconf -n” is.

-Eric

Sure! Here is the postconf result!

alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix header_size_limit = 1024000 home_mailbox = Maildir/ inet_interfaces = all mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 message_size_limit = 102400000 milter_default_action = accept milter_protocol = 2 mydestination = mail.[mydomain].com, localhost.[mydomain].com, , localhost myhostname = mail.[mydomain].com mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = inet:localhost:8891 readme_directory = no recipient_delimiter = + sender_bcc_maps = hash:/etc/postfix/bcc smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_maps = hash:/etc/postfix/virtual