How to Trace Who was Using my Mail Relay on Spamming?

postfix email-server

Solution 1:

Get the message ID and grep on it.

For example, in the line below, the message ID is F05911DBCA.

Apr 16 06:29:12 mail.xxx.com postfix/qmgr[25497]: F05911DBCA: removed

So you can execute

$ grep F05911DBCA /var/log/maillog

It will list all postfix log lines about this message, so you can check all steps done by Postfix for this specific connection.

Also, grep for sasl_username to get the user account sending the message. You can use "wc - l" command to get some count about how many times a account authenticated to send emails.

Figuring out what account was compromised, you can lock it out from sending emails.

Related

Server Room Temperature Monitoring - Where to stick my probes?
Kubernetes - Nginx Frontend & Django Backend
Postgres 8.3 on Ubuntu. Where are the server logs?
Does automounting /home on NFS allow users created on server to log into client
haproxy 2.2.x - acl url_reg wont work anymore
Powershell Script will run but screen capture not completed, why?
Azure Web App identified target web site is using IIS 10 and detected that it is out of date - how to change
How can I set a custom text on the LCD display on Dell PowerEdge servers
Snmpd stop working without any changes
Unable to delete .gitconfig folder in user home wsl2
Is there a way to direct traffic coming in on the same port to two different VMs? [closed]
Nginx return `444` on deny