Postfix identify the true sender

Recently my server has many spam emails generated. I looked for information in an example message but the sender is apparently faked, and there is no postfix user ID in the message header as well. Below is the complete header of a sample message:

root@server:~# postcat -qv 400CB848E9
postcat: name_mask: all
postcat: inet_addr_local: configured 4 IPv4 addresses
postcat: inet_addr_local: configured 2 IPv6 addresses
*** ENVELOPE RECORDS hold/400CB848E9 ***
message_size:            2333             670               1               0            2333               0
message_arrival_time: Thu Jun 24 06:44:46 2021
create_time: Thu Jun 24 06:44:46 2021
named_attribute: log_ident=400CB848E9
named_attribute: rewrite_context=local
sender: [email protected]
named_attribute: log_client_name=localhost.localdomain
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=40070
named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost.localdomain
named_attribute: reverse_client_name=localhost.localdomain
named_attribute: client_address=127.0.0.1
named_attribute: client_port=40070
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected]
*** MESSAGE CONTENTS hold/400CB848E9 ***
regular_text: Received: from localhost (localhost.localdomain [127.0.0.1])
regular_text:   by dallas.mylocalhostdomain.com (Postfix) with ESMTP id 400CB848E9
regular_text:   for <[email protected]>; Thu, 24 Jun 2021 06:44:46 -0400 (EDT)
regular_text: From: Google Drive Storage <[email protected]>
regular_text: To: [email protected]
regular_text: MIME-Version: 1.0
regular_text: Message-ID: <[email protected]>
regular_text: Date: Thu, 24 Jun 2021 06:44:46 +0000
regular_text: Content-Type: text/html; charset=UTF-8
regular_text: Content-Transfer-Encoding: 7bit
regular_text: Subject: File is damaged and could not be repaired

As can be seen in the header, the sender of the message is [email protected], but this domain name / user does not exist on the server. I am confusing as from what I know, the user must exist on the server before SMTP can be authenticated. In addition, there is also no authentication information in the mail.log file.

I hope someone can help point out how to identify the real user which generated this message?

Thank you!


Solution 1:

Look carefully at these:

sender: [email protected]
named_attribute: log_client_name=localhost.localdomain
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=40070
named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: helo_name=localhost

This means, some process from localhost (i.e. the server machine itself) made a ESMTP transaction to this server. It began with EHLO localhost and then, without any authentication, it was accepted for delivery. I can guess you have 127.0.0.1 in mynetworks. The "Received" header it added has the same information (that's no wonder).

That's all Postfix had seen and could tell you. Seek the answer to "who is the real sender" in some other place. That might be web mail, so read webserver access logs; that might be server is compromised (oh!) or just there is some hole in PHP script which allows to send a mail. Check wtmp (last and so on). Look for logs near Thu, 24 Jun 2021 06:44:46 -0400 (EDT).

I'll reiterate this for you to not ask the same question in another words: Postfix was done all it could to disclose you where it got this mail. The only thing it knows that mail came from localhost. That rings the bell: "check your localhost" (the server).