Postfix seems to send spam
Does it mean that someone is using my username ([email protected]) to send spam?
YES
This log line was the proof of it.
Aug 4 11:09:17 mail postfix/smtpd[71597]: 1AE3B7EC3D: client=unknown[59.88.35.206], sasl_method=PLAIN, [email protected]
As you have permit_sasl_authenticated
in main.cf
, then you authorize anyone who knows your credential to send email via your server.
If so, then how is it possible?
There many ways to make your credential leaked.
- Keylogger planted in your computer
- Worm sends sensitive information (including your credential)
- Weak password was retrieved via brute-force or guessing
- Phising email
- And many others...
and how do I fix it?
First disable the account, either change its status in postgre database or change the password into random one. Identify how your credential was leaked and fix that hole too.
Additional notes:
Your postfix configuration was fine. Although it's little bit overlapping each other as you repeat some of the restriction in each stage. You should also verify that each rhsbl/rbl provider was still active maintaining the blacklist to avoid false-positives.
The log shows that someone has obtained the password for the mail account [email protected] and is using it to send SPAM through the server.
- The entry at time 11:09:17 shows a successful SASL authentication from IP address 59.88.35.206 with username [email protected].
- The entry at 11:09:30 shows reception and queuing of a message with sender address [email protected] with twenty declared recipients over that connection.
- The entries timestamped 11:09:31 show these twenty copies being first forwarded internally within Postfix and then sent out to the recipients.
The most frequent cause for that kind of incident is a user falling for a phishing mail telling him or her to enter his or her mail address and password on some credentials harvesting web form.
To fix:
- Change that account's password immediately.
- Choose a (more) sensible password, specifically one not used anywhere else.
- Be (more) careful not to reveal that password to anybody, specifically do not enter it on any website.