Hi, See inline.
Thank you! On Thu, Aug 21, 2014 at 10:02 AM, Wietse Venema <wie...@porcupine.org> wrote: > Charles Richard: > > Hi, > > > > I have inherited a postfix 2.6 mail server which also uses Dovecot > 1.1.14 . > > > > This is basically a legacy mail server that can't be shutoff because it > is > > now used only to forward the emails sent to a few mailboxes to the new > > email addresses now being used. > > > > This email server has been compromised and from what I can tell. it is > > sending spam from localhost. I don't know much about postfix. > > > > Any suggestions on how to fix this? We don't need the local mailboxes to > be > > able to send messages anymore. We only want messages sent to valid > > mailboxes to be fowarded as per the forward rules we have setup. > > Before you can stop the spam, you must find out how it enters Postfix. > You will have to examine the maillog (mail.log, or whatever) file > to find out if it enters via smtpd (network) or via pickup (local > submission). It if arrives from the network, perhaps a user account > was compromised. If it comes from a local web application, that > requires different measures. > > How can I tell if it enters via smtpd or via pickup? The first message is see starts in the following manner: Aug 21 09:59:49 servername postfix/qmgr[28270]: 1583354444F: from=< x...@xxxxx.com>, size=2151, nrcpt=14 (queue active) > Wietse >
