On Tue, Jun 16, 2015 at 08:34:38PM -0700, Jithesh AP wrote:
> I tried that, the first line client = ip-172 is the internal/private ip of
> my server. So does this mean somehow it is being sent from my server itself?
>
> grep 6CB5841627 /var/maillog
> Jun 16 13:21:46 ml postfix/smtpd[19729]: 6CB5841627:
> client=ip-172-31-5-33.us-west-1.compute.internal[172.31.5.33]
> Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627:
> message-id=<kflvqedfdosxjjhkebewy...@sfilc.com>
Is that really the machine's own IP address, or that of a another
machine on the same subnet? Perhaps you have an insecure PHP or
other web application that sends email via SMTP rather than via
the sendmail(1) command-line.
Or perhaps you've exposed an SMTP proxy-filter or other application
that on some port effectively NATs outside connections to appear
to be local.
Also post the headers of the queued message output by running
as root:
# postcat -hq 0C9B14166A
This may shed some additional light on the message origin.
In the mean time, set "mynetworks = 127.0.0.1", that might
limit further damage.
--
Viktor.
