Thank your for the tips. I just found this which looked wrong to me.
I got this 433039B83D9A message id from the bad message sent by bjbear...@cogs.com <mailto:bjbear...@cogs.com>. Then I traced it back and see the message id come from an actual user, rgarrity. Am I reading that correctly is that what happened? 12/17/15 4:02:24 PM postfix/smtpd[13501] 433039B83D9A: client=unknown[190.254.55.184], sasl_method=CRAM-MD5, sasl_username=rgarrity 12/17/15 4:02:38 PM postfix/cleanup[13595] 433039B83D9A: message-id=<48415b66-3cb8-495f-a86b-294a1c4bb...@cogs.com <mailto:48415b66-3cb8-495f-a86b-294a1c4bb...@cogs.com>> 12/17/15 4:02:38 PM postfix/qmgr[12965] 433039B83D9A: from=<bjbear...@cogs.com <mailto:bjbear...@cogs.com>>, size=658, nrcpt=1 (queue active) 12/17/15 4:02:38 PM postfix/smtp[13666] 433039B83D9A: to=<mven...@niu.edu <mailto:mven...@niu.edu>>, relay=127.0.0.1[127.0.0.1]:10024, delay=15, delays=14/0/0/0.27, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=13051-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5833E9B83DA3) 12/17/15 4:02:38 PM postfix/qmgr[12965] 433039B83D9A: removed > On Dec 17, 2015, at 4:06 PM, Sebastian Nielsen <sebast...@sebbe.eu > <mailto:sebast...@sebbe.eu>> wrote: > > Then you have some local process that is compromised. > Areas to check: > Do you have a password reminder sending service? No > Do you have other automated email families? I just about a week ago updated my /etc/aliases to start sending me the root messages. > Check if some user on your server has became rogue I think the log excerpt above shows something like that. > Check if some process on the server are abusing sendmail Would this be in the sendmail log.. > Do you have a mailing list on the server? Check that the mailing list > software isn’t compromised. > I will turn it off now. Thanks, Ben > Från: owner-postfix-us...@postfix.org > <mailto:owner-postfix-us...@postfix.org> > [mailto:owner-postfix-us...@postfix.org > <mailto:owner-postfix-us...@postfix.org>] För Ben Greenfield > Skickat: den 17 december 2015 22:02 > Till: postfix-users@postfix.org <mailto:postfix-users@postfix.org> > Ämne: non-existent users submitting email qmgr as localhost > > Hey All, > > I’m truly lost on this. > > I suddenly I’m receiving email at my qmgr delivered by localhost 127.0.0.1. > The email all end in cogs.com <http://cogs.com/> but none of them addresses > are ours. > > Search the message ID of the spoofed email and the first appearance in the > log is always qmgr and the mail was received by localhost 127.0.0.1 > > Any ideas appreciated. > > Ben > > This server is on version 2.5.14 > > lex:spool root# postconf -n > alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases > biff = no > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = smtp-amavis:[127.0.0.1]:10024 > daemon_directory = /usr/libexec/postfix > debug_peer_level = 2 > enable_server_options = yes > header_checks = pcre:/etc/postfix/custom_header_checks > html_directory = /usr/share/doc/postfix/html > inet_interfaces = all > mail_owner = _postfix > mailbox_size_limit = 0 > mailbox_transport = dovecot > mailq_path = /usr/bin/mailq > manpage_directory = /usr/share/man > maps_rbl_domains = > message_size_limit = 0 > mydestination = $myhostname, localhost.$mydomain,localhost, cogs.com > <http://cogs.com/>, mail.rowerprojectoffice.com > <http://mail.rowerprojectoffice.com/>, $mydomain > mydomain = cogs.com <http://cogs.com/> > mydomain_fallback = localhost > myhostname = plex.cogs.com <http://plex.cogs.com/> > mynetworks = 192.168.1.18,108.12.137.159,72.43.160.26,72.43.6.86 > newaliases_path = /usr/bin/newaliases > owner_request_special = no > queue_directory = /private/var/spool/postfix > readme_directory = /usr/share/doc/postfix > recipient_bcc_maps = hash:/etc/postfix/recipient_bcc > recipient_delimiter = + > relay_domains = $mydestination > relayhost = > sample_directory = /usr/share/doc/postfix/examples > sender_bcc_maps = hash:/etc/postfix/sender_bcc > sendmail_path = /usr/sbin/sendmail > setgid_group = _postdrop > smtp_sasl_password_maps = > smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated > hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr > reject_rbl_client sbl.spamhaus.org <http://sbl.spamhaus.org/> > reject_rbl_client xbl.spamhaus.org <http://xbl.spamhaus.org/> permit > smtpd_enforce_tls = no > smtpd_helo_required = yes > smtpd_helo_restrictions = reject_invalid_helo_hostname > reject_non_fqdn_helo_hostname > smtpd_pw_server_security_options = gssapi,cram-md5 > smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks > check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination > check_policy_service unix:private/policy permit > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_tls_CAfile = /etc/certificates/mail.cogs.com > <http://mail.cogs.com/>.349E00BE0E1D924321C26D3DF0030E0CDADD6C6A.chain.pem > smtpd_tls_cert_file = /etc/certificates/mail.cogs.com > <http://mail.cogs.com/>.349E00BE0E1D924321C26D3DF0030E0CDADD6C6A.cert.pem > smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL > smtpd_tls_key_file = /etc/certificates/mail.cogs.com > <http://mail.cogs.com/>.349E00BE0E1D924321C26D3DF0030E0CDADD6C6A.key.pem > smtpd_tls_loglevel = 0 > smtpd_use_pw_server = yes > smtpd_use_tls = yes > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 550 > virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains > virtual_alias_maps = hash:/etc/postfix/virtual > plex:spool root#
