Many thanks. Especially for the GeoIP reference. I will take steps to clean up that account.
Again, thanks. Patrick On Sat, Oct 5, 2019 at 11:45 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Oct 6, 2019, at 2:09 AM, Patrick Mahan <plma...@gmail.com> wrote: > > > > I am trying to understand how I am being a mail relay for (what I > believe) are unauthorized users. > > I have the following postfix config set: > > > > smtpd_relay_restrictions = permit_mynetworks, > permit_sasl_authentication, reject_unauth_destination > > The second of these is presumably actually "permit_sasl_authenticated"... > > > The logs are showing - > > > > Oct 5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24: > client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy > > A successful login as "tracy" was completed from a system at > [37.114.181.42], > which GeoIP on my system reports as: > > 37.114.181.42: AZ, Azerbaijan > > If the real "tracy" is not logging in from Azerbaijan, her account > password has been compromised, and the compromise might affect more > than the password for your mailserver, perhaps remote control of her > computer, ... > > The rest is just consequences of the account takeover. > > -- > Viktor. > >
