Emails were not from authenticated account, near as I can tell. In fact, I cannot find anywhere in the logs where that IP logged in.
RBL shows the IP as blocked on multiple sites. MX Toolbox shows we are NOT an open relay. Is this what you’re asking for? mynetworks = 192.0.0.0/8 message_size_limit = 30720000 virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem Jeff > On Jul 6, 2016, at 12:28 PM, Joan Aymà <j...@ayma.cat> wrote: > > First, did you checked that ips on rbl sites? > > Also, was that emails from an authenticated accounts? > What's on main config postfix access? > Did you checked on you are not an open relay? > > -- > joan. > > El dia 6 jul. 2016 7:28 p. m., SH Development <listacco...@starionline.com> > va escriure: > Here’s a strange one. In my normal routine of glancing at the maillog file, > and subsequently the queue, I noticed several hundred emails queued up, all > with some bogus email variation > on one of my domains. So for instance: > > > > abj...@mydomain.com > > > lwoei...@mydomain.com > > > > And so forth. > > > > I traced it back to a particular IP address, and as a temporary stop-gap > measure, blocked that IP in the firewall and changed the passwords on the two > email addresses that use that > domain. The spam stopped. > > > > The strange thing is, that as soon as I unblock that one IP, it starts up > again. I’m not sure how this one IP is managing to spoof email, and I am not > having any issues with any of my > other 40 domains. I can very clearly start and stop the abuse by blocking > the IP. > > > > I’m not sure what I’m looking for, or how to find out how they are dumping > this spam on my server, I thought I had it locked down pretty well and I > haven’t had any problems for a couple > of years until this week. > > > > Jeff > > > >
