On Tue, 26 Feb 2013 17:16:20 +0200 Jamie articulated: > On 2013/02/26 4:59 PM, Deeztek.com Support wrote: > > in your /etc/hosts file if you were to change it to the actual > > servername.domain.tld of your server, then the log should report > > the actual server name vs. localhost.localdomain. I would unblock > > the IP address and see if the same thing happens and this time look > > for suspicious processes in your box. > I unblocked the IP and the problem came back. > > Is you outbound traffic on your firewall filtered or is everything > > allowed outbound? > Everything is allowed outbound. > > Also maybe look at the type of traffic going back and forth with > > that suspicious IP to hopefully determine what's going on (snort?). > > This doesn't seem like a postfix issue any longer. > Thanks for your help. I will look at it further, but I am pretty > certain that our machine isn't compromised.
Jamie, I realize that sometimes debugging can be a stressful job. If you would read the documentation at <http://www.postfix.org/DEBUG_README.html>, specifically the section located at <http://www.postfix.org/DEBUG_README.html#mail> and follow the directions, it would save you a lot of work. Better yet, provide output from the postfinger tool. This can be found at http://ftp.wl0.org/SOURCES/postfinger. Post the complete, unmungled results here and the Postfix gurus can give you the assistance you need. The idea that you are "pretty > certain that our machine isn't compromised" is certainly not comforting at all. If you are not positive, then you have a problem.
