Then you have some local process that is compromised. Areas to check:
Do you have a password reminder sending service? Do you have other automated email facilies? Check if some user on your server has became rogue Check if some process on the server are abusing sendmail Do you have a mailing list on the server? Check that the mailing list software isn’t compromised. Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Ben Greenfield Skickat: den 17 december 2015 22:02 Till: postfix-users@postfix.org Ämne: non-existent users submitting email qmgr as localhost Hey All, I’m truly lost on this. I suddenly I’m receiving email at my qmgr delivered by localhost 127.0.0.1. The email all end in cogs.com <http://cogs.com> but none of them addresses are ours. Search the message ID of the spoofed email and the first appearance in the log is always qmgr and the mail was received by localhost 127.0.0.1 Any ideas appreciated. Ben This server is on version 2.5.14 lex:spool root# postconf -n alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases biff = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 enable_server_options = yes header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maps_rbl_domains = message_size_limit = 0 mydestination = $myhostname, localhost.$mydomain,localhost, cogs.com <http://cogs.com> , mail.rowerprojectoffice.com <http://mail.rowerprojectoffice.com> , $mydomain mydomain = cogs.com <http://cogs.com> mydomain_fallback = localhost myhostname = plex.cogs.com <http://plex.cogs.com> mynetworks = 192.168.1.18,108.12.137.159,72.43.160.26,72.43.6.86 newaliases_path = /usr/bin/newaliases owner_request_special = no queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_bcc_maps = hash:/etc/postfix/recipient_bcc recipient_delimiter = + relay_domains = $mydestination relayhost = sample_directory = /usr/share/doc/postfix/examples sender_bcc_maps = hash:/etc/postfix/sender_bcc sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtp_sasl_password_maps = smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr reject_rbl_client sbl.spamhaus.org <http://sbl.spamhaus.org> reject_rbl_client xbl.spamhaus.org <http://xbl.spamhaus.org> permit smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname smtpd_pw_server_security_options = gssapi,cram-md5 smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination check_policy_service unix:private/policy permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_tls_CAfile = /etc/certificates/mail.cogs.com <http://mail.cogs.com> .349E00BE0E1D924321C26D3DF0030E0CDADD6C6A.chain.pem smtpd_tls_cert_file = /etc/certificates/mail.cogs.com <http://mail.cogs.com> .349E00BE0E1D924321C26D3DF0030E0CDADD6C6A.cert.pem smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL smtpd_tls_key_file = /etc/certificates/mail.cogs.com <http://mail.cogs.com> .349E00BE0E1D924321C26D3DF0030E0CDADD6C6A.key.pem smtpd_tls_loglevel = 0 smtpd_use_pw_server = yes smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains virtual_alias_maps = hash:/etc/postfix/virtual plex:spool root#
smime.p7s
Description: S/MIME Cryptographic Signature
