On 2/26/2013 8:45 AM, Jamie wrote: > I ran chkrootki with clean results. > > For kicks: I sent a test email to myself from a web mail client. It > seems connect from localhost.localdomain[127.0.0.1] is outputted > under normal circumstances. Thus, it must be something to do with > the way in which postfix passed mails along to the antivirus, > antispam scaners. I am just not sure how to interpret the Postfix > logs. The question remains... how did this spammer use this server > as an open relay when its been disallowed in the configuration. >
There's no shortage of folks on this list who can help you interpret the logs once you share them. You need to show us "postconf -n" and logs of the suspect mail. It's helpful to examine the evidence before drawing conclusions. That's called guessing, and there's been a lot of that in this thread. > Feb 26 06:46:26 serve postfix/smtpd[12617]: connect from > out1-smtp.messagingengine.com[66.111.4.25] ... snip ... > Feb 26 06:46:32 serve postfix/local[12641]: 597DB10DC1: > to=<ja...@stimulussoft.com>, relay=local, delay=0.07, > delays=0.04/0/0/0.03, dsn=2.0.0, status=sent (delivered to maildir) > Feb 26 06:46:32 serve postfix/qmgr[19586]: 597DB10DC1: removed Nice example of a normal mail, but not particularly useful. Please show all those same log entries from a suspect message, along with your current "postconf -n" output. For further help, please see: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones