Op 22-10-16 om 01:46 schreef Wietse Venema:
> Paul van der Vlis:
>> Received: from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206])
>> (Authenticated sender: p...@puk.nl)
>> by mail.vandervlis.nl (Postfix) with ESMTPSA id 774B23E0285;
>> Fri, 21 Oct 2016 18:57:14 +0200 (CEST)
>
> That is NOT RELAYING. That is receiving mail from a process that
> runs on the same machine. This can happen when the machine runs a
> bad web application.
Thank you for your help!
Receiving mail from a web application is something what I have checked,
but I did not found anything in the Apache logs. And I see traffic on
port 587 from bad IP's when I log the firewall. I did also turn off
Apache for a while, and I still saw spam coming in. I will investigate
further, there are 3 web applications running on the machine.
What I did yesterday night what stopped the spam, is blocking the mail
from a specific sender (p...@puk.nl in my example) using
check_sender_access:
smtpd_recipient_restrictions =
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_access,
permit_sasl_authenticated,
(...)
The strange thing is that the username they use for authentication
(p...@puk.nl) is not a correct username. So maybe they will come in some
time later with another fake-username...
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
