One of our staff had their email account compromised. We have changed that user's login and password. However I lack experience interpreting what happened. Would someone take a look at the following headers and tell me how this was done? I can make a reasonable guess but I would like a definitive answer.
This is a representative header from one of the messages relayed: <--- Received from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id 3137662492; Tue, 16 Feb 2016 09:44:30 -0500 (EST) X-Virus-Scanned amavisd-new at harte-lyne.ca Received from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YweOTfrrhigz; Tue, 16 Feb 2016 09:44:28 -0500 (EST) Received from [127.0.0.1] (ppp-171-96-116-78.revip8.asianet.co.th [171.96.116.78]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id 4B48362499; Tue, 16 Feb 2016 09:44:07 -0500 (EST) >From <our user's address> . . . ---> And our main.cf setup postconf -nf alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 delay_warning_time = 30m disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks.regexp home_mailbox = Maildir/ html_directory = no ignore_mx_lookup_error = no inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca inet_protocols = all local_transport = smtp mail_spool_directory = /var/spool/mail mailman_destination_recipient_limit = 1 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 20480000 milter_default_action = accept milter_protocol = 2 mydestination = mynetworks = 216.185.71.0/26, 216.185.71.64/27, 209.47.176.0/26, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = $smtpd_milters policyd-spf_time_limit = 3600 queue_minfree = 40960000 rbl_reply_maps = hash:/etc/postfix/rbl_reply readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES recipient_delimiter = + relay_clientcerts = hash:/etc/postfix/relay_clientcerts relay_domains = hash:/etc/postfix/relay_domains sample_directory = /usr/share/doc/postfix-2.11.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_dns_support_level = dnssec smtp_host_lookup = dns smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, IDEA, RC2, RC5 smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_client_restrictions = permit smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit smtpd_milters = inet:127.0.0.1:8891 smtpd_proxy_timeout = 300s smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, check_policy_service unix:/var/spool/postfix/postgrey/socket, check_policy_service unix:private/policyd-spf, permit smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, check_sender_mx_access hash:/etc/postfix/sender_mx_access, check_sender_ns_access hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_starttls_timeout = ${stress?10}${stress:120}s smtpd_timeout = ${stress?10}${stress:120}s smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt smtpd_tls_ciphers = medium smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem smtpd_tls_fingerprint_digest = sha1 smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s soft_bounce = no strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual.regexp -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3