On 16 Oct 2020, at 18:20, Rich Wales wrote:
Hi. My mail server (memoryalpha.richw.org), running Postfix 3.3.0,
recently started attracting open relay spam. I thought I had done all
the appropriate things in Postfix to block open relay traffic, and I
hadn't seen any such traffic for a very long time, but suddenly I've
gotten three attacks in the last two days (plus another one a couple
of
weeks ago).
I'm attaching the output of "postconf -nf".
You'll note that I'm using amavisd-new as a spam filter (which has
worked fine for a very long time). The log info from amavisd-new
identifies the messages in question as probably coming via an open
relay, but it still passes them. What confuses me is that I would
expect Postfix to have identified and rejected these messages during
the
initial SMTP dialogue with the sender, and they should never reach
amavisd-new.
Any suggestions gratefully welcome.
Based on your config and descriptions, it smells like a compromised
account being used to pump mail through your submission service. A full
set of log lines for one of the messages should reveal that. The
master.cf lines for smtpd and submission would also help.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
