Stop sending postfix spam from my domain

Hi, I set up my postfix server to send through mailgun. I am getting bills because of the high volume of mail being sent and I know it isn't from me. My domain is oh-joy.org. Here is a sample from my syslog:

Oct 9 09:44:57 rivendell postfix/pipe[14626]: 8981B5FEBC: to=viktoria_possen@web.de, relay=spamassassin, delay=0.72, delays=0.62/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service (sendmail: warning: /etc/postfix/dynamicmaps.cf.d: directory open failed: Permission denied postdrop:))
Oct 9 09:44:57 rivendell postfix/qmgr[14610]: 8981B5FEBC: removed
Oct 9 09:44:58 rivendell postfix/smtps/smtpd[14620]: disconnect from unknown[168.232.131.103] ehlo=1 auth=1 mail=20 rcpt=20 data=20 quit=1 commands=63
Oct 9 09:44:58 rivendell postfix/smtp[14614]: 2FD045FEC3: to=viktoria_possen@web.de, relay=smtp.mailgun.org[100.20.232.174]:587, delay=1.2, delays=0/0/0.82/0.42, dsn=2.0.0, status=sent (250 Great success)

Here is my postconf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
default_process_limit = 100
disable_vrfy_command = yes
header_size_limit = 51200
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 550
mailbox_size_limit = 0
maximal_backoff_time = 3h
message_size_limit = 10485760
minimal_backoff_time = 180s
mydestination = localhost.$mydomain, localhost, $mydomain
mydomain = oh-joy.org
myhostname = oh-joy.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $mydomain
non_fqdn_reject_code = 550
queue_minfree = 20971520
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.mailgun.org]:587
smtp_always_send_ehlo = yes
smtp_generic_maps = hash:/etc/postfix/generic
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = AUTH LOGIN
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_recipient_limit = 40
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
smtpd_timeout = 30s
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/oh-joy.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/oh-joy.org/privkey.pem
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf, mysql:/etc/postfix/mysql-virtual-email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

4 Replies

You haven't posted enough logs to show how the mail made it into your mail system. There's going to be log entries before that spamassassin entry. The ID used by postfix is usually a good piece to start with - look at that log and grep for 8981B5FEB to see where that mail came from. If there's another postfix ID like that related earlier, grep for that.

Thank you for offering your help @millisa. Here is more.

Oct 9 09:44:57 rivendell postfix/cleanup[14625]: 8981B5FEBC: message-id=pk5ukwpk.hc81qx06.4g671.3ysc@medinadiversityproject.org
Oct 9 09:44:57 rivendell postfix/qmgr[14610]: 8981B5FEBC: from=christina.agbagni@medinadiversityproject.org, size=3715, nrcpt=1 (queue activ
e)
Oct 9 09:44:57 rivendell systemd-resolved[26289]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying t
ransaction with reduced feature level UDP.
Oct 9 09:44:57 rivendell systemd-resolved[26289]: message repeated 3 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.]
Oct 9 09:44:57 rivendell postfix/sendmail[14687]: warning: /etc/postfix/dynamicmaps.cf.d: directory open failed: Permission denied
Oct 9 09:44:57 rivendell postfix/postdrop[14689]: warning: /etc/postfix/dynamicmaps.cf.d: directory open failed: Permission denied
Oct 9 09:44:57 rivendell postfix/pickup[14609]: 2FD045FEC3: uid=5001 from=christina.agbagni@medinadiversityproject.org
Oct 9 09:44:57 rivendell postfix/cleanup[14625]: 2FD045FEC3: message-id=pk5ukwpk.hc81qx06.4g671.3ysc@medinadiversityproject.org
Oct 9 09:44:57 rivendell postfix/qmgr[14610]: 2FD045FEC3: from=christina.agbagni@medinadiversityproject.org, size=4102, nrcpt=1 (queue active)
Oct 9 09:44:57 rivendell postfix/pipe[14626]: 8981B5FEBC: to=viktoria_possen@web.de, relay=spamassassin, delay=0.72, delays=0.62/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service (sendmail: warning: /etc/postfix/dynamicmaps.cf.d: directory open failed: Permission denied postdrop:))
Oct 9 09:44:57 rivendell postfix/qmgr[14610]: 8981B5FEBC: removed
Oct 9 09:44:58 rivendell postfix/smtps/smtpd[14620]: disconnect from unknown[168.232.131.103] ehlo=1 auth=1 mail=20 rcpt=20 data=20 quit=1 commands=63
Oct 9 09:44:58 rivendell postfix/smtp[14614]: 2FD045FEC3: to=viktoria_possen@web.de, relay=smtp.mailgun.org[100.20.232.174]:587, delay=1.2, delays=0/0/0.82/0.42, dsn=2.0.0, status=sent (250 Great success)
Oct 9 09:44:58 rivendell postfix/qmgr[14610]: 2FD045FEC3: removed
Oct 9 09:45:00 rivendell kernel: [6741210.340458] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:3d:c0:dc:84:78:ac:57:aa:c1:08:00 SRC=5.153.33.148 DST=45.56.110.221 LEN=40 TOS=0x08 PREC=0x20 TTL=56 ID=9456 DF PROTO=TCP SPT=65460 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Oct 9 09:45:00 rivendell systemd[1]: postfix.service: Succeeded.
Oct 9 09:45:00 rivendell systemd[1]: Stopped Postfix Mail Transport Agent.
Oct 9 09:45:01 rivendell systemd[1]: Stopping Postfix Mail Transport Agent (instance -)…
Oct 9 09:45:01 rivendell postfix[14694]: Postfix is running with backwards-compatible default settings
Oct 9 09:45:01 rivendell postfix[14694]: See http://www.postfix.org/COMPATIBILITY_README.html for details
Oct 9 09:45:01 rivendell postfix[14694]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"

You don't have an earlier entry with 8981B5FEBC in it? That postfix/cleanup step usually happens after the mail has been fully submitted to postfix; it's usually preceded by postfix/smtpd or some other method of getting the mail into the system.
A typical lifecycle would look like:
postfix/smtpd -> postfix/cleanup -> postfix/qmgr -> postfix/smtp (or lmtp if local) -> postfix/qmgr (remove)

Using something like:

grep 8981B5FEBC /var/log/thatmaillog

should help you spot it

@millisa I added more because this particular one was at the end of my log file, and I don't think it successfully was delivered. Could you look above to see if you see one that has completed? However, I am adding the log you asked for below.

Oct 9 09:44:57 rivendell postfix/qmgr[14610]: 8981B5FEBC: from=christina.agbagni@medinadiversityproject.org, size=3715, nrcpt=1 (queue activ
e)
Oct 9 09:44:57 rivendell systemd-resolved[26289]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying t
ransaction with reduced feature level UDP.
Oct 9 09:44:57 rivendell systemd-resolved[26289]: message repeated 3 times: [ Server returned error NXDOMAIN, mitigating potential DNS violati
on DVE-2018-0001, retrying transaction with reduced feature level UDP.]
Oct 9 09:44:57 rivendell postfix/sendmail[14687]: warning: /etc/postfix/dynamicmaps.cf.d: directory open failed: Permission denied
Oct 9 09:44:57 rivendell postfix/postdrop[14689]: warning: /etc/postfix/dynamicmaps.cf.d: directory open failed: Permission denied
Oct 9 09:44:57 rivendell postfix/pickup[14609]: 2FD045FEC3: uid=5001 from=christina.agbagni@medinadiversityproject.org
Oct 9 09:44:57 rivendell postfix/cleanup[14625]: 2FD045FEC3: message-id=pk5ukwpk.hc81qx06.4g671.3ysc@medinadiversityproject.org
Oct 9 09:44:57 rivendell postfix/qmgr[14610]: 2FD045FEC3: from=christina.agbagni@medinadiversityproject.org, size=4102, nrcpt=1 (queue activ
e)
Oct 9 09:44:57 rivendell postfix/pipe[14626]: 8981B5FEBC: to=viktoria_possen@web.de, relay=spamassassin, delay=0.72, delays=0.62/0/0/0.1, ds
n=2.0.0, status=sent (delivered via spamassassin service (sendmail: warning: /etc/postfix/dynamicmaps.cf.d: directory open failed: Permission denied postdrop:))
Oct 9 09:44:57 rivendell postfix/qmgr[14610]: 8981B5FEBC: removed
Oct 9 09:44:58 rivendell postfix/smtps/smtpd[14620]: disconnect from unknown[168.232.131.103] ehlo=1 auth=1 mail=20 rcpt=20 data=20 quit=1 commands=63
Oct 9 09:44:58 rivendell postfix/smtp[14614]: 2FD045FEC3: to=viktoria_possen@web.de, relay=smtp.mailgun.org[100.20.232.174]:587, delay=1.2, delays=0/0/0.82/0.42, dsn=2.0.0, status=sent (250 Great success)
Oct 9 09:44:58 rivendell postfix/qmgr[14610]: 2FD045FEC3: removed

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct