spammer sending mail through non existing smtp sasl user

One of my virtualmin servers (centos based) is beïng used by a spammer

tail -f /var/log/maillog -n | grep sasl

Oct 26 18:28:17 postfix/smtpd[22204]: 900D6BC033: client=mail.zabo.be[217.76.226.156], sasl_method=LOGIN, sasl_username=username@domain
Oct 26 18:32:42 postfix/smtpd[23738]: D89DFBC033: client=93-2-60.netrun.cytanet.com.cy[93.109.2.60], sasl_method=LOGIN, sasl_username=username@domain
Oct 26 18:43:59 postfix/smtpd[27327]: 6DD12BC033: client=unknown[79.174.197.27], sasl_method=LOGIN, sasl_username=username@domain
Oct 26 18:57:15 postfix/smtpd[30563]: 6CD31BC033: client=unknown[41.224.242.182], sasl_method=LOGIN, sasl_username=username@domain
Oct 26 20:40:01 postfix/smtpd[27600]: 06E0EBC033: client=bre75-1-78-192-242-228.fbxo.proxad.net[78.192.242.228], sasl_method=LOGIN, sasl_username=username@domain

i’ve changed the username to username@domain for obvious reasons.

The username@domain is not a virtualmin user, but it was the same e-mailaddress as an alias.
I’ve changed the password of the account which the alias reffered to and I even deleted the alias, but the spammer is still able to authenticate and send spam.

The strange thing is that the is username@domain is not a systemuser and I cannot find any other reference to this user.

How can I tell which database smtpd uses in virtualmin to do the sasl authentication on?
Anyone know how I can prevent a specific user from using smtp?

Howdy,

Hmm, by default shouldn’t be able to authenticate without a system user , though there’s two things I can think of to look for… one, can you post the output of “postconf -n”? I’m curious if there’s something in there enabling some sort of virtual user that would cause it to not need a system user.

Second, if you didn’t already, can you run “grep username@domain /etc/passwd”, just to make super-sure that there’s no username in there?

-Eric

or just id username@domain instead (because if it is not from /etc/passwd but via LDAP or something, you will not find it with the grep itself).

The log just tells you that someone is able to logon to the postfix instance with the credentials shown. So there must be a user that authorizes this login (else you would get failures).

Rgrds,
Remko