> On Oct 6, 2019, at 2:09 AM, Patrick Mahan <plma...@gmail.com> wrote:
>
> I am trying to understand how I am being a mail relay for (what I believe)
> are unauthorized users.
> I have the following postfix config set:
>
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication,
> reject_unauth_destination
The second of these is presumably actually "permit_sasl_authenticated"...
> The logs are showing -
>
> Oct 5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24:
> client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
A successful login as "tracy" was completed from a system at [37.114.181.42],
which GeoIP on my system reports as:
37.114.181.42: AZ, Azerbaijan
If the real "tracy" is not logging in from Azerbaijan, her account
password has been compromised, and the compromise might affect more
than the password for your mailserver, perhaps remote control of her
computer, ...
The rest is just consequences of the account takeover.
--
Viktor.
