I have a Virtualmin installation with 2+ years that's continuously updated, hundreds of mailboxes, large volume of sending mails (and an excellent reputation with this server particularly).
But today Postfix starts to send a lot of spam and I can't find the cause. I stopped Postfix temporarily, but I would like to know if there are instructions somewhere to help me find out the cause.
The spams are being sent with a different domain, with an external client IP in header. Can I configure Postfix to not send emails with different domains in "from:" or using non-existent accounts?
Thanks in advance!
Howdy,
It sounds like you have an example of one of these spam messages handy... is there any chance you could post the headers for that message here? That should contain the info we'd need to determine what's generating those emails.
-Eric
Sure! Here it is:
Received from gyn-PC (unknown [186.218.179.148]) by mail.******.com (Postfix) with ESMTPSA id 4DA81225A8; Tue, 16 Sep 2014 23:41:15 -0300 (BRT)
From "res..." <terraproduto@online.com.br>
Subject esta ai
To "res..." <terraproduto@online.com.br>
Content-Type multipart/alternative; boundary="----=_NextPart_6D7_6777_67470707.7636F6D0"
MIME-Version 1.0
Reply-To accounts@passport.com
Date Tue, 16 Sep 2014 23:40:16 -0300
Message-Id <20140916234016EC7F08CABB$D21D2C0D0D@GYNPC>
Status N
Andrey, this IP 186.218.179.148 is not my server's IP and this email address terraproduto[at]online.com.br is not in a domain configured in our Virtualmin
I searched across the Postfix configurations, but I can't find where it is possible to allow only specific domains or to block non-existent accounts.
Howdy,
Hmm, that is an unusual one. Users shouldn't be able to relay email through your server unless they authenticate.
Now, you could always block that one IP... you could do that with a firewall, or by running:
route add -host 186.218.179.148 rejectHowever, I'd be curious what the output of "postconf -n" is.
-Eric
Sure! Here is the postconf result!
alias_database = hash:/etc/aliasesalias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
header_size_limit = 1024000
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
message_size_limit = 102400000
milter_default_action = accept
milter_protocol = 2
mydestination = mail.[mydomain].com, localhost.[mydomain].com, , localhost
myhostname = mail.[mydomain].com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
sender_bcc_maps = hash:/etc/postfix/bcc
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual