Noel Jones a écrit : > Ivan Ricotti wrote: >> Hi, >> >> thanks for your reply. >> >> Brian Evans - Postfix List wrote: >>> Look a few lines above this. Why did you accept mail for a non-existent >>> user? >> >> But I do *not* accept mail for non-existent users: >> >> Mar 26 09:27:11 athene postfix/smtpd[29704]: NOQUEUE: reject: RCPT from >> mail02.mail.esat.net[193.120.142.82]: 450 4.1.1 >> <3f6f17ca.813b5...@elabor.homelinux.org>: Recipient address rejected: >> undeliverable address: unknown user: >> "3f6f17ca.813b5...@elabor.homelinux.org"; from=<mem...@ebay.it> >> to=<3f6f17ca.813b5...@elabor.homelinux.org> proto=ESMTP >> helo=<mail02.mail.esat.net> >> >>> Did it arrive via smtpd or pickup? Where did it arrive from? > > The above is the result of a postfix reject_unverified_recipient check. > The double_bounce entries you see are address probes. In other words, > these are not in any way related to your problem. > > Since you so far haven't shown anything remotely suspicious in your > postfix config or logs, most likely you have some virus infected client > machines that are sending mail direct to the recipient's MX - *not* > relaying through your postfix. > > The first thing you must do is make sure that your border firewall or > router prevents outgoing connections to destination port 25 for everyone > except your postfix box. Then at least an infected machine can't spew > its payload. > > (A better design is to have a separate IP for "official" mail and > another IP used for client internet access. Then client misbehavior > doesn't affect the mail system. of course that means you must have more > than one IP...) > > Once you stop the garbage with your firewall, you can then use firewall > logs or a network sniffer to see what IP is trying to send mail. Look > for connections to destination port 25 that don't originate from your > postfix box. > > At this point, your problem doesn't appear to be a postfix problem, nor > something that can be addressed in postfix. >
or maybe recipient validation is disabled before the filter? a copy of master.cf would tell. otherwise, it's as Noel said, outbound smtp traffic must be firewalled. once this is done, postfix logs will show which machine is infected.
