Wow !! how many answers. First to deep into matter i want give the thanks you to all. While i was reading (and read all answers)i was taking note of some items that require my answer o clarification. 1) My topology 1.0)My server is in my office phisically and is located at 1 meter of me (3ft) 1.1)My connection topology is internet <-public ip-> my server schweb <-internal ip-> my computer with mua. So my email password never touch internet. 1.2)Fail2ban, i have fail2ban to ban permanently (even if reboot) the bruteforce attacks 1.3) Have not ssh,ftp or any login from outside open the only administration way is inside of my office. 1.4) I have not administration sowftware ( webmin and etc) 1.5) The passwords are in userDB format with root owned file and cannot be changed with any frontend, only root ( with real acess to my office)
2)Dear Kevin: I think that the sender dont know my password because do not identify SASL loocking the logfile /var/log/mail Postfix managed the email as regular incoming email. 3)Dear Andrei >mmu.ac.ug. 86400 IN TXT "v=spf1 include:_spf.google.com ~all" >See, ~all was your undoing. My domain is **schweb.com.ar** and the email come from **mmu.ac.ug** My spf is: v=spf1 mx a ip4:24.232.174.73 mx:schweb.com.ar a:schlabs.com.ar a:sys-arquitectura.cl -all Maybe i need remove -all? 4)I perform the check on https://haveibeenpwned.com/ Good news — no pwnage found! 5)I add the missing part of log at end of email 6)SpamAssasin, i never used. I will read how install it. Normally i block the entire ISP when i receive a spam, scam, pishing email. 7) "@lbutlr" About /etc/postfix/sender_access.pcre, Thanks you i will do 8) Dear Mick: header checks I will test, i cannot close the port 25 because my sister use it and she lives in other country ( i am on Argentine she is in Chile). I will look for use only for incoming emails 9) i have configured to block words like BIT COIN (all together), but the email was base64 coded and postfix cant decrypt and check the content. Is possible? Best Regards Christian Anex 1: 2019-03-22T07:41:56.930185-03:00 schweb postfix/smtpd[16228]: connect from mmu.ac.ug[62.75.235.12] 2019-03-22T07:41:57.912905-03:00 schweb postfix/smtpd[16228]: Anonymous TLS connection established from mmu.ac.ug[62.75.235.12]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 2019-03-22T07:42:00.178966-03:00 schweb postfix/policy-spf[16235]: : SPF softfail (Mechanism '~all' matched): Envelope-from: d...@mmu.ac.ug 2019-03-22T07:42:00.180439-03:00 schweb postfix/policy-spf[16235]: handler sender_policy_framework: is decisive. 2019-03-22T07:42:00.181631-03:00 schweb postfix/policy-spf[16235]: : Policy action=PREPEND Received-SPF: softfail (mmu.ac.ug: Sender is not authorized by default to use 'd...@mmu.ac.ug' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=schweb; identity=mailfrom; envelope-from="d...@mmu.ac.ug"; helo=xray144.theg7.com; client-ip=62.75.235.12 2019-03-22T07:42:01.651477-03:00 schweb postfix/smtpd[16228]: 9EE12450F4: client=mmu.ac.ug[62.75.235.12] 2019-03-22T07:42:01.895647-03:00 schweb postfix/cleanup[16242]: 9EE12450F4: message-id=<5s5jp2.2trzrx165hrq...@mail.mmu.ac.ug> 2019-03-22T07:42:05.367192-03:00 schweb postfix/qmgr[32549]: 9EE12450F4: from=<d...@mmu.ac.ug>, size=228789, nrcpt=1 (queue active) 2019-03-22T07:42:05.604239-03:00 schweb postfix/smtpd[16228]: disconnect from mmu.ac.ug[62.75.235.12] 2019-03-22T07:42:06.429100-03:00 schweb postfix/virtual[16247]: 9EE12450F4: to=<l...@schweb.com.ar>, relay=virtual, delay=8, delays=6.9/0.02/0/1, dsn=2.0.0, status=sent (delivered to maildir) 2019-03-22T07:42:06.431609-03:00 schweb postfix/qmgr[32549]: 9EE12450F4: removed -- Be Free, Be Linux
