Meta-issues first: 1. You hijacked an old thread here, posting about an unrelated matter. Bad form. Please open a NEW message in your MUA when you want to start a new thread. 2. The logs should be posted inline with your message, not as pastebin links. 3. See http://www.postfix.org/DEBUG_README.html#mail for list guidelines. This information was also provided in your list welcome message.
On Wed, Jul 27, 2011 at 12:02:48PM +0200, Salvatore wrote: > on my mail server a few days pass through a lot of mails where the > sender does not belong to any my domain and also the recipient does > not belong to any of my domains. > This behavior is strange because I use for send email the SMTP > authentication, below log about mail: > > http://pastebin.com/SDpVzMVx > http://pastebin.com/sUPdSFuH These logs are useless. You need to show where the suspected spam messages *arrived* -- you did not. "grep 5F8B52D8040" was not adequate. It seems that 5F8B52D8040 was a post-filter reinjection. Where did the pre-filter message 7AF7C26ADA0 come from? Use a pager (like less(1)) and its search feature, not grep(1). > My postfix configuration is: > > mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain > mydomain = mydomain.com > myhostname = mail.mydomain.com Example.com (and .TLD for all gTLDs and many ccTLDs) exists for use in examples. Do not use a real Internet name unless it is yours. > myorigin = $myhostname > relay_domains = $mydestination This should be unset unless you are using relay_domains. "relay_domains =" > smtpd_recipient_restrictions = permit_sasl_authenticated, > reject_unauth_destination, check_client_access > hash:/etc/postfix/client_whitelist, reject_rbl_client > bl.spamcop.net, reject_rbl_client dul.dnsbl.sorbs.net, > reject_rbl_client zen.spamhaus.org > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_security_options = noanonymous > smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access This does not look like complete "postconf -n", since the logs indicated a probable content filter in place. > ..how can I stop the transit of such mail ? We can't answer that until you show us how it arrived. > I can also set a limit to the number of emails that a user can send > in 1 hour ? Again, that depends. Another poster today is wanting to limit use of sendmail(1) submission. If your users are submitting via SMTP, you can choose among several external policy services which can do throttling per sender. I believe postfwd and policyd each have this feature. If as I suspect, your system has malware or other such intrusion, a policy service will not stop these. The most common successful attack vectors are by means of bugs in poorly-coded PHP webware, or by brute force SSH attack bots. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
