On Tue, Jun 16, 2015 at 08:34:38PM -0700, Jithesh AP wrote: > I tried that, the first line client = ip-172 is the internal/private ip of > my server. So does this mean somehow it is being sent from my server itself? > > grep 6CB5841627 /var/maillog > Jun 16 13:21:46 ml postfix/smtpd[19729]: 6CB5841627: > client=ip-172-31-5-33.us-west-1.compute.internal[172.31.5.33] > Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627: > message-id=<kflvqedfdosxjjhkebewy...@sfilc.com>
Is that really the machine's own IP address, or that of a another machine on the same subnet? Perhaps you have an insecure PHP or other web application that sends email via SMTP rather than via the sendmail(1) command-line. Or perhaps you've exposed an SMTP proxy-filter or other application that on some port effectively NATs outside connections to appear to be local. Also post the headers of the queued message output by running as root: # postcat -hq 0C9B14166A This may shed some additional light on the message origin. In the mean time, set "mynetworks = 127.0.0.1", that might limit further damage. -- Viktor.