Hi Everyone, I've been running a postfix mailserver for our small company for the last couple of years. Until a couple of weeks ago we had no trouble at all. But then suddenly I started seeing a huge number of rejected emails in the deferred queue, with dodgy looking recipient addresses. I think someone is using our server to send out a load of spam. I don't think any of our users would do it deliberately, but I am worried that a spammer has somehow got hold of one of my users' login credentials and is abusing the account.
My question is, if I am right, how can I find out which account has been compromised? I've been searching online all week, but the only information I can find on the topic of spam, is how to stop it coming in to a system. No-one seems to mention how to stop it being sent out by a system. I'm using SASL to authenticate SMTP users, with this config in /etc/postfix/main.cf: smtpd_use_tls=yes relayhost = smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = yes /etc/postfix/smtpd.conf pwcheck_method: saslauthd mech_list: plain login /etc/default/saslauthd START=yes MECHANISMS="pam" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -V" Any help on how to find out where the spam is originating would be greatly appreciated. Likewise, if anyone knows any other approach to stopping authenticated users from abusing the system. Many thanks, Daniel Howard
