something wrong with postfix server

My client sudden reported that he could not send and receive email.

Then I checked the postfix process is running
and I try to telnet localhost 25 for a full smtp test and got the same problem on this comment I found so far
http://www.virtualmin.com/node/21459#comment-96935

and I tried to stop and start postfix daemon and it stucked at Staring postfix.
The I tried to reboot the server, the postfix could not start
I listed daemon process with ps -ef

show somthing strange

root 2821 1539 0 21:38 ? 00:00:00 /bin/sh /etc/rc3.d/S80postfix start
root 2831 2821 0 21:38 ? 00:00:00 /bin/sh /usr/libexec/postfix/postfix-script start
root 2838 2831 0 21:38 ? 00:00:00 /bin/sh /usr/libexec/postfix/postfix-script check-fatal
postfix 2864 2838 0 21:38 ? 00:00:01 /usr/sbin/postsuper

and I from something error on maillog

host2 postfix/postfix-script[25293]: fatal: Postfix integrity check failed!

Howdy,

What distro/version are you using?

Also, are you using a VPS, or dedicated server? If a VPS, what type of VPS?

And if you look in your email logs, either /var/log/maillog or /var/log/mail.log when starting up and connecting to Postfix, do you see any errors?

-Eric

centos 5.5
dedicated server

I just read this comment
https://www.virtualmin.com/node/19621#comment-88500

and I did execute this command postfix set-permissions

It seems this process take quite a bit of time to finish.

I ps -ef the postfix process

there are quite a many of these processes
postfix 429 4106 0 05:06 ? 00:00:00 error -n retry -t unix -u
postfix 1165 4106 0 05:16 ? 00:00:00 bounce -z -n defer -t unix -u

the postfix set-permissions is finished

The postfix could start
but when I test smtp locally in ssh, I send a message to myself but still not received

[root@host]# telnet localhost 25
Trying MYIP…
Connected to host.
Escape character is ‘^]’.
220 host ESMTP Postfix
HELO host
250 host
MAIL FROM:test@mydomain.com
250 2.1.0 Ok
RCPT TO:test@mydomain.com
250 2.1.5 Ok
data
354 End data with .
Subject: test
asdadasd.
.
250 2.0.0 Ok: queued as 1CA36160ADE
quit
221 2.0.0 Bye
Connection closed by foreign host.

I searched a post on google
http://www.howtoforge.com/forums/archive/index.php/t-43821.html

the guy said extacly the issue I’m suffering from.

I checked my smtp server is not open relay

I check whether smtp server ip is blacklisted with the site mentioned in the post
http://mxtoolbox.com/blacklists.aspx

My smtp ip all passed except BARRACUDA

http://postimg.org/image/4g666crxv/

There is one more problem is I could not open the webmin postfix config page.
The web browser status just showing transferring data from xx.xx.xx.xx
The is no such problem on other webmin page.

Howdy,

If you run this command, what output do you receive:

mailq | tail -1

That’ll show how many email messages are in your queue.

Also, what does the command “uptime” show?

-Eric

I could not show the status right now.
I stopped postfix yesterday. Now I started postfix.
More than 10 mins of stucking at “Starting postfix” prompt.

I’ve no idea what wrong with it.

postfix is started finally~~~~~~startup time required nearly 30mins -_-|||

mailq | tail -1
no output

uptime of an instance of execution time

09:21:12 up 47 min, 2 users, load average: 35.04, 15.54, 6.72

At the same time I
tail -f /var/log/maillog

There are lot of message log filling out the log file
here are some of them

Apr 11 09:23:53 host2 postfix/qmgr[5498]: 699CE63EC6E7: from=<>, size=8227, nrcpt=1 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 67D7F64B00EB: from=lpmyj@yahoo.com.tw, size=3364, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 63E4E63FA7CB: from=uvnhbl@yahoo.com.tw, size=3914, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 625FE64A9581: from=lpmyj@yahoo.com.tw, size=4406, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6B01A62DB8C5: from=uvnhbl@yahoo.com.tw, size=3534, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/smtp[6526]: 6860D64D978A: host filter4.mail.xuite.net[210.242.46.179] said: 452 Too many recipients received this hour from Host: Unknown (IP: 58.64.134.102) (in reply to RCPT TO command)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 641B064BBB32: from=ndwsfzwl@yahoo.com.tw, size=4284, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6919C52DAC1A: from=uvnhbl@yahoo.com.tw, size=3941, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6D772648BA0B: from=uvnhbl@yahoo.com.tw, size=3881, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6613B651C3EA: from=ndwsfzwl@yahoo.com.tw, size=3401, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6641164D8B85: from=ndwsfzwl@yahoo.com.tw, size=4440, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6A51C46D8F00: from=ndwsfzwl@yahoo.com.tw, size=3321, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6357364D8820: from=ndwsfzwl@yahoo.com.tw, size=4236, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 665606426595: from=uvnhbl@yahoo.com.tw, size=3901, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 622DB64D0FFE: from=ndwsfzwl@yahoo.com.tw, size=3404, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 68DA4645673F: from=uvnhbl@yahoo.com.tw, size=4491, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 65CAA64DBD39: from=uvnhbl@yahoo.com.tw, size=3893, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6F449F22912: removed
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 699C5638820F: from=lpmyj@yahoo.com.tw, size=3987, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6F5B064A7435: from=ndwsfzwl@yahoo.com.tw, size=3908, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6A04D63A8C9C: from=lpmyj@yahoo.com.tw, size=3966, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6209E64BC52C: from=ndwsfzwl@yahoo.com.tw, size=2881, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 68D7A6503ED3: from=ndwsfzwl@yahoo.com.tw, size=4017, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6CA966490A4A: from=ndwsfzwl@yahoo.com.tw, size=4348, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6B7B36497884: from=lpmyj@yahoo.com.tw, size=4273, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6BB8664B85DF: from=ndwsfzwl@yahoo.com.tw, size=3900, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6DDE8648178B: from=uvnhbl@yahoo.com.tw, size=3458, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 64E1B64D3C2C: from=ndwsfzwl@yahoo.com.tw, size=3263, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6952042F9574: from=lpmyj@yahoo.com.tw, size=3835, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66DBD64EC3C4: from=ndwsfzwl@yahoo.com.tw, size=4420, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66A6246DACD1: from=uvnhbl@yahoo.com.tw, size=4247, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66FD66499F9A: from=uvnhbl@yahoo.com.tw, size=3952, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6FFF2640F966: from=<>, size=6303, nrcpt=1 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6417364882A2: from=ndwsfzwl@yahoo.com.tw, size=2581, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 628FE6531B2D: from=ndwsfzwl@yahoo.com.tw, size=4331, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6A71C64BE58F: from=ndwsfzwl@yahoo.com.tw, size=3180, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6FF1E63453D2: from=lpmyj@yahoo.com.tw, size=3309, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/error[6060]: 68671649374C: to=eoody@ms1.hinet.net, relay=none, delay=507402, delays=507376/23/0/3.1, dsn=4.0.0, status=deferred (delivery temporarily suspended: host msx-smtp4.hinet.net[168.95.5.36] refused to talk to me: 421 Too many SMTP sessions for this host)
Apr 11 09:23:54 host2 postfix/bounce[6514]: 67D43646DB5F: sender non-delivery notification: 0167A633998A
Apr 11 09:23:54 host2 postfix/error[6152]: 6559F64746E7: to=lovemicky922@yahoo.com.tw, relay=none, delay=521315, delays=521057/237/0/21, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta-v4.mail.vip.tp2.yahoo.com[203.188.197.111] refused to talk to me: 421 4.7.1 [TS03] All messages from 58.64.134.102 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)

postfix is started finally~~~~~~startup time required nearly 30mins -_-|||

mailq | tail -1
no output

uptime of an instance of execution time

09:21:12 up 47 min, 2 users, load average: 35.04, 15.54, 6.72

At the same time I
tail -f /var/log/maillog

There are lot of message log filling out the log file
here are some of them

Apr 11 09:23:53 host2 postfix/qmgr[5498]: 699CE63EC6E7: from=<>, size=8227, nrcpt=1 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 67D7F64B00EB: from=lpmyj@yahoo.com.tw, size=3364, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 63E4E63FA7CB: from=uvnhbl@yahoo.com.tw, size=3914, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 625FE64A9581: from=lpmyj@yahoo.com.tw, size=4406, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6B01A62DB8C5: from=uvnhbl@yahoo.com.tw, size=3534, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/smtp[6526]: 6860D64D978A: host filter4.mail.xuite.net[210.242.46.179] said: 452 Too many recipients received this hour from Host: Unknown (IP: 58.64.134.102) (in reply to RCPT TO command)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 641B064BBB32: from=ndwsfzwl@yahoo.com.tw, size=4284, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6919C52DAC1A: from=uvnhbl@yahoo.com.tw, size=3941, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6D772648BA0B: from=uvnhbl@yahoo.com.tw, size=3881, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6613B651C3EA: from=ndwsfzwl@yahoo.com.tw, size=3401, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6641164D8B85: from=ndwsfzwl@yahoo.com.tw, size=4440, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6A51C46D8F00: from=ndwsfzwl@yahoo.com.tw, size=3321, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6357364D8820: from=ndwsfzwl@yahoo.com.tw, size=4236, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 665606426595: from=uvnhbl@yahoo.com.tw, size=3901, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 622DB64D0FFE: from=ndwsfzwl@yahoo.com.tw, size=3404, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 68DA4645673F: from=uvnhbl@yahoo.com.tw, size=4491, nrcpt=10 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 65CAA64DBD39: from=uvnhbl@yahoo.com.tw, size=3893, nrcpt=11 (queue active)
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 6F449F22912: removed
Apr 11 09:23:53 host2 postfix/qmgr[5498]: 699C5638820F: from=lpmyj@yahoo.com.tw, size=3987, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6F5B064A7435: from=ndwsfzwl@yahoo.com.tw, size=3908, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6A04D63A8C9C: from=lpmyj@yahoo.com.tw, size=3966, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6209E64BC52C: from=ndwsfzwl@yahoo.com.tw, size=2881, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 68D7A6503ED3: from=ndwsfzwl@yahoo.com.tw, size=4017, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6CA966490A4A: from=ndwsfzwl@yahoo.com.tw, size=4348, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6B7B36497884: from=lpmyj@yahoo.com.tw, size=4273, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6BB8664B85DF: from=ndwsfzwl@yahoo.com.tw, size=3900, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6DDE8648178B: from=uvnhbl@yahoo.com.tw, size=3458, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 64E1B64D3C2C: from=ndwsfzwl@yahoo.com.tw, size=3263, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6952042F9574: from=lpmyj@yahoo.com.tw, size=3835, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66DBD64EC3C4: from=ndwsfzwl@yahoo.com.tw, size=4420, nrcpt=10 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66A6246DACD1: from=uvnhbl@yahoo.com.tw, size=4247, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 66FD66499F9A: from=uvnhbl@yahoo.com.tw, size=3952, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6FFF2640F966: from=<>, size=6303, nrcpt=1 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6417364882A2: from=ndwsfzwl@yahoo.com.tw, size=2581, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 628FE6531B2D: from=ndwsfzwl@yahoo.com.tw, size=4331, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6A71C64BE58F: from=ndwsfzwl@yahoo.com.tw, size=3180, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/qmgr[5498]: 6FF1E63453D2: from=lpmyj@yahoo.com.tw, size=3309, nrcpt=11 (queue active)
Apr 11 09:23:54 host2 postfix/error[6060]: 68671649374C: to=eoody@ms1.hinet.net, relay=none, delay=507402, delays=507376/23/0/3.1, dsn=4.0.0, status=deferred (delivery temporarily suspended: host msx-smtp4.hinet.net[168.95.5.36] refused to talk to me: 421 Too many SMTP sessions for this host)
Apr 11 09:23:54 host2 postfix/bounce[6514]: 67D43646DB5F: sender non-delivery notification: 0167A633998A
Apr 11 09:23:54 host2 postfix/error[6152]: 6559F64746E7: to=lovemicky922@yahoo.com.tw, relay=none, delay=521315, delays=521057/237/0/21, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta-v4.mail.vip.tp2.yahoo.com[203.188.197.111] refused to talk to me: 421 4.7.1 [TS03] All messages from 58.64.134.102 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)

Apr 11 09:26:29 host2 postfix/smtp[6685]: connect to msx-smtp4.hinet.net[168.95.5.35]:25: Connection timed out Apr 11 09:26:36 host2 postfix/qmgr[5498]: 67FD064885EF: removed Apr 11 09:26:36 host2 postfix/qmgr[5498]: 66C15648577B: from=, status=expired, returned to sender Apr 11 09:26:36 host2 postfix/qmgr[5498]: 60B4E6472C2A: from=, status=expired, returned to sender Apr 11 09:26:30 host2 postfix/smtp[6694]: connect to msx-smtp4.hinet.net[168.95.5.36]:25: Connection timed out Apr 11 09:26:31 host2 postfix/smtp[6695]: connect to msx-smtp6.hinet.net[168.95.5.52]:25: Connection timed out Apr 11 09:26:36 host2 postfix/smtp[5989]: connect to msx-smtp7.hinet.net[168.95.5.76]:25: Connection timed out Apr 11 09:26:36 host2 postfix/qmgr[5498]: 6A974649D353: from=, size=3959, nrcpt=11 (queue active) Apr 11 09:26:36 host2 postfix/error[6152]: 6AD4364A9D50: to=, relay=none, delay=498787, delays=498778/7.4/0/1.8, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421 4.7.1 [TS03] All messages from 58.64.134.102 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)

Where are the messages generated from ? It could fill up the maillog in hundred of MB size in short period of time.

I executed command postsuper -d ALL to kill all mail queues

During the duration of process the command, I read all post related postfix, mail in this forum and found
this post http://www.virtualmin.com/node/23328

my smtp server issue is closed to the airshock described.

After spending a few hours, command postsuper -d ALL finished and gave me 1603623 messages removed.
Now I could ensure my server problem is same as airshock.

I use postcat to open one of message queue id

*** ENVELOPE RECORDS active/00A61654E77B *** message_size: 3914 1665 11 0 3914 message_arrival_time: Sat Apr 6 13:52:11 2013 create_time: Sat Apr 6 13:52:13 2013 named_attribute: log_ident=00A61654E77B named_attribute: rewrite_context=remote named_attribute: sasl_method=LOGIN named_attribute: sasl_username=demo sender: ndwsfzwl@yahoo.com.tw named_attribute: log_client_name=mdh-14-177.tm.net.my named_attribute: log_client_address=219.92.14.177 named_attribute: log_client_port=2057 named_attribute: log_message_origin=mdh-14-177.tm.net.my[219.92.14.177] named_attribute: log_helo_name=kkxgkh.com named_attribute: log_protocol_name=ESMTP named_attribute: client_name=mdh-14-177.tm.net.my named_attribute: reverse_client_name=mdh-14-177.tm.net.my named_attribute: client_address=219.92.14.177 named_attribute: client_port=2057 named_attribute: helo_name=kkxgkh.com named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;a1876511@yahoo.com.tw original_recipient: a1876511@yahoo.com.tw recipient: a1876511@yahoo.com.tw named_attribute: dsn_orig_rcpt=rfc822;wendy_shao1972@yahoo.com.tw original_recipient: wendy_shao1972@yahoo.com.tw recipient: wendy_shao1972@yahoo.com.tw named_attribute: dsn_orig_rcpt=rfc822;walklulu@yahoo.com.tw original_recipient: walklulu@yahoo.com.tw recipient: walklulu@yahoo.com.tw named_attribute: dsn_orig_rcpt=rfc822;bj36473647@yahoo.com.tw original_recipient: bj36473647@yahoo.com.tw recipient: bj36473647@yahoo.com.tw named_attribute: dsn_orig_rcpt=rfc822;win1@ms16.hinet.net original_recipient: win1@ms16.hinet.net recipient: win1@ms16.hinet.net named_attribute: dsn_orig_rcpt=rfc822;topever@ms27.hinet.net original_recipient: topever@ms27.hinet.net recipient: topever@ms27.hinet.net named_attribute: dsn_orig_rcpt=rfc822;nage0405@yahoo.com.tw original_recipient: nage0405@yahoo.com.tw recipient: nage0405@yahoo.com.tw named_attribute: dsn_orig_rcpt=rfc822;chiahua_li@yahoo.com.tw original_recipient: chiahua_li@yahoo.com.tw recipient: chiahua_li@yahoo.com.tw named_attribute: dsn_orig_rcpt=rfc822;twopeichen@yahoo.com.tw original_recipient: twopeichen@yahoo.com.tw recipient: twopeichen@yahoo.com.tw

the header make me surprised.
named_attribute: sasl_username=demo <--------- is it that the user for sending spam remotely ?

Is yes, however I went over all the virtual servers to see whether there is a user named demo, result is none.
And I read the /etc/passwd and no such a user id named demo too.

I did another small test to see whether those spam message is orignated from a web script or send remotely.

I turn off incoming smtp port on the firewall and start postfix.
Monitoring the /var/log/maillog for a certain period of time…

After a few hours of monitoring the maillog, incoming smtp port being ported, there is no abnormal mail log appeared. As a conclusion, all spam mails are sending from outside and being some smtp policy restriction, those emails cannot be delivered from my server and queued

Now the problem is why is the demo (a login account ?) could pass the sasl authentication ?

I search thru file /var/log/audit/audit.log and could not find demo was logged in

Howdy,

You may want to take a look in /var/log/maillog… seeing “sasl_authenticated” suggests that a user used an SMTP authentication method (typically port 465 or 587) to login as that user.

And any user who authenticates via that method would show up in /var/log/maillog.

If you haven’t already, you may want to change the password for that user though.

-Eric