Tait Grove wrote:
I did open a few of the messages. The user has taken over the dovecot
account. So all the emails are coming from dove...@local.servername.net
through postfix. I thought for sure an account had been compromised. Dovecot
is a local, unix user, with nologin and the account is locked out as far as
the OS is concerned. I looked at my webmail, thinking that could be the
case, but they are not getting in through there. Somehow they are piping
commands into my mail to get it send email out - tons of stuff to/from
Brazil.
You need to examine the logs related to one of the unwanted
messages.
My CONF file:
mynetworks = 127.0.0.0/8, {EXTERNAL_IP_RANGE}/8, {INTERNAL_IP_RANGE}/25,
$myhostname
I hope the /8 and /25 got reversed during your munging-fest.
I don't see any other glaring errors. Your log will have the
interesting information.
Pick a QUEUEID from a suspect message and grep the log for it.
-- Noel Jones
