On 21 Dec 2022, at 08:52, Peter <pe...@pajamian.dhs.org> wrote: > > On 21/12/22 20:35, Samer Afach wrote: >> Dear Pat: >> Thank you for throwing this idea, because I really thought it wasn't >> possible to retrieve docker logs without setup, but I dug and found the >> logs. I have them all. Unfortunately, I can't share them all because they're >> like GBs in size. Just the grep on that email address is like 750 MB in size. >> I cut a snippet of the relevant part (where I see the spam address), and put >> it in pastebin. I hope that's allowed in the rules of the list. >> https://pastebin.com/PEir7mDc > > You have verbose logging enabled. This makes it much more difficult to > troubleshoot because the relevant info is lost in all the noise created by > the additional logs. It will be way easier if you can generate some logs > without verbose enabled.
I do agree, too verbose, too much noise. And as far as I can tell, so much noise that the sample you provided misses the important part of the SMTP transaction from the spammer (connect from). Anyway, there is a "disconnect from unknown[172.30.0.1]" that tend to confirm what I was thinking, and what <mailm...@ionos.gr> replied to you: being behind a proxy makes all client IP addresses look like they are local. You'll have to find a way to forward the real client IP address to your postfix so it can know who is local and who is not. pat