When I connect to my Postfix server using ssh from a remote location, postings show up as something like (suitably modified for security):
Jul 27 15:50:35 winston postfix/smtpd[28303]: connect from localhost[127.0.0.1] Jul 27 15:50:36 winston postfix/smtpd[28303]: 57A5A220BA: client=localhost[127.0.0.1] Jul 27 15:50:36 winston postfix/cleanup[28315]: 57A5A220BA: message-id=<1311799778.2531.33.camel@progbox> Jul 27 15:50:36 winston postfix/qmgr[3964]: 57A5A220BA: from=<jo397...@example1.com>, size=517, nrcpt=1 (queue active) Jul 27 15:50:37 winston postfix/smtpd[28303]: disconnect from localhost[127.0.0.1] Jul 27 15:50:37 winston postfix/smtp[28319]: 57A5A220BA: to=<j_opific...@example2.org>, relay=mail.example2.org[aaa.bb.cc.ddd]:25, delay=1.7, delays=0.53/0.04/0.67/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok: qu eued as D5F07162B43) Jul 27 15:50:37 winston postfix/qmgr[3964]: 57A5A220BA: removed All that is good, works fine. The point to note is the: "connect from localhost[127.0.0.1]" part. Is there any other legitimate situation in which "connect from localhost[127.0.0.1]" is legitimate? I suspect my system is compromised (as opposed to my simply not having appropriate spam protections, etc in place). Here's an example of a "connect from localhost..." that I cannot justify or explain: Jul 27 15:46:54 winston postfix/smtpd[28230]: connect from localhost[127.0.0.1] Jul 27 15:46:54 winston postfix/smtpd[28230]: warning: Illegal address syntax from localhost[127.0.0.1] in MAIL command: <anntaylorloft@mhttps://app.cheetahmail.com/m/mailers/mailinail.anntaylorloft.com> Jul 27 15:46:55 winston postfix/smtpd[28230]: disconnect from localhost[127.0.0.1] I confess I'm running Suse 9.1 and Postfix 2.5.5, so I'm looking for a justification to tear the system down and rebuild from scratch (as if I needed it), but a compromised system is much more serious. Thanks, Julian.
