I am quite weak at postfix configurations. You'd do better to to use google. Also I can't see your pictures from work as they get blocked. Having said that, reject_sender_login_mismatch looks quite interesting.

Can I suggest you still move your external users devices over users over to port 465 or 587 so you can shut off authentication on port 25? I can give you the config for 587. People/devices who are internal only can still use 25 if you want.

Hi Nick, thanks for help.
yes, denny@rdpomss.com is my users, so I have delete and recreate the user and change the password stronger, reinstall os client and disable android access.
I have 3 office witch 2 of them in the external network (access by internet) an so many user access by smartphone, so I can not use trusted network concept
for encryption type I set none.

my friend said that I have add reject_sender_login_mismatch rule, so the spam can not send email with different account
for this case I have test my smtp with this configuration


I can send email use unknown email but with real account and password.

Aug 11 08:47:23 system postfix/smtpd[8680]: connect from unknown[172.16.16.9]

Aug 11 08:47:25 system postfix/smtpd[8680]: B6C1534145D: client=unknown[172.16.16.9], sasl_method=LOGIN, sasl_username=yono@rdpomss.com

Aug 11 08:47:25 system postfix/cleanup[8681]: B6C1534145D: message-id=< 000701d0d3d7$ad286740$077935c0$@kita.com >

Aug 11 08:47:26 system postfix/qmgr[20375]: B6C1534145D: from=< nyepam@kita.com >, size=2808, nrcpt=1 (queue active)

Aug 11 08:47:26 system postfix/smtpd[8686]: connect from localhost[127.0.0.1]

Aug 11 08:47:26 system postfix/smtpd[8686]: 5D8E5341482: client=localhost[127.0.0.1]

Aug 11 08:47:26 system postfix/cleanup[8681]: 5D8E5341482: message-id=< 000701d0d3d7$ad286740$077935c0$@kita.com >

Aug 11 08:47:26 system postfix/qmgr[20375]: 5D8E5341482: from=< nyepam@kita.com >, size=2982, nrcpt=1 (queue active)

Aug 11 08:47:26 system postfix/smtpd[8686]: disconnect from localhost[127.0.0.1]

Aug 11 08:47:26 system postfix/pipe[8684]: B6C1534145D: to=< yono@rifansi.co.id >, relay=mailprefilter, delay=1.4, delays=1.3/0/0/0.1, dsn=2.0.0, status=sent (delivered via mailprefilter service)

Aug 11 08:47:26 system postfix/qmgr[20375]: B6C1534145D: removed

I have try googling for add reject_sender_login_mismatch rule postfix, but I am not sure about the right script.

Thanks.

Enabling SMTP authentication is potentially dangerous but sounds like it is a good idea! As soon as you have it enabled you are as strong as your weakest password and open to someone trying to hack it. I suggest you run fail2ban at the same time to try to block password cracking. Is one of your users denny@rdpomss.com? If so, it may have been his password which was used.

If you do not need to send e-mails from the internet (e.g. from smartphones when out and about) it is (arguably) better to turn off authentication and use the "trusted networks" for your LAN instead. This means anyone on your LAN will have access without any password but no one outside your trusted networks will have access. There are pros and cons of both.

There is a possible halfway house. Because of what I consider a bug, for some reason ClearOS is also configured to always allow authentication on port 465 (SMTP/SSL) irrespective of the authentication setting. This is a deprecated port and protocol (you should use STARTTLS on port 587). What you can do if you need external access is turn off authentication in the Webconfig which stops relaying on port 25 and open up tcp:465 in the firewall. Also switch your e-mail clients to port 465. They will need to accept a certificate but then then can proceed as before. Ports 465 and 587 seem to be far less targeted for password cracking. You should still run fail2ban.

You can also set up postfix in a similar way to allow port 587/STARTTLS if you prefer it to port 465.

Ultimately you can force certificate authentication with the right e-mail clients but this will take some research. I struggled as Android is very unhappy with self-signed certificates and I'm only using a free client (k-9 mail), and I'm not sure what to do about iOS at all.

I have check /var/log/message-20150809 but find nothing.
when I recheck /var/log/maillog-20150809 the size very big (1,1 GB for a week)



and I find some unknown email log :

Aug  3 05:53:45 system postfix/smtpd[17939]: 0D60734259A: client=localhost[127.0.0.1]

Aug  3 05:53:45 system postfix/smtpd[18911]: 0D6AB3425A9: client=unknown[207.191.19.53], sasl_method=LOGIN, sasl_username=denny@rdpomss.com

Aug  3 05:53:45 system postfix/smtpd[18848]: 0E4C63425B4: client=unknown[207.191.19.53], sasl_method=LOGIN, sasl_username=denny@rdpomss.com

Aug  3 05:53:45 system postfix/cleanup[23910]: 0D60734259A: message-id=< 20150802225344.DA5D9342592@smtp.rdpomss.com >

Aug  3 05:53:45 system postfix/smtp[18936]: 56EE63425B1: to=< rcollea@nycap.rr.com >, relay=cdptpa-pub-iedge-vip.email.rr.com[107.14.166.70]:25, delay=0.71, delays=0.08/0.01/0.63/0, dsn=4.0.0, status=deferred (host cdptpa-pub-iedge-vip.email.rr.com[107.14.166.70] refused to talk to me: 421 Temporary resolution failure)

Aug  3 05:53:45 system postfix/qmgr[2057]: 0D60734259A: from=< steveat@ymail.com >, size=3604, nrcpt=15 (queue active)

Aug  3 05:53:45 system amavis[24109]: (24109-04) Passed SPAMMY, LOCAL [127.0.0.1] [207.191.19.53] < steveat@ymail.com > -> < jacjac4life@aol.com >,< jacjones@aol.com >,< jaciwms@att.net >,< jacjr31@comcast.net >,< jack-eagle1@earthlink.net >,< jacito@gmail.com >,< jack.abraham@gmail.com >,< jack.abbott@hotmail.com >,< jack.adams@hotmail.com >,< jacithomas23@live.com >,< jacjoy38@msn.com >,< jacjac1981@sbcglobal.net >,< jacitac@worldnet.att.net >,< jacjac5755@yahoo.com >,< jacjaqfan07@yahoo.com >, Message-ID: < 20150802225344.DA5D9342592@smtp.rdpomss.com >, mail_id: iste3xsUwj87, Hits: 7.212, size: 3221, queued_as: 0D60734259A, 127 ms

Aug  3 05:53:45 system postfix/error[21970]: 0D60734259A: to=< jacjr31@comcast.net >, relay=none, delay=0.05, delays=0.03/0.01/0/0.01, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx1.comcast.net[96.114.157.80] refused to talk to me: 421 resimta-po-01v.sys.comcast.net comcast Reverse DNS failure : Try again later)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacjac4life@aol.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacjones@aol.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jaciwms@att.net >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacjr31@comcast.net >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jack-eagle1@earthlink.net >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacito@gmail.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jack.abraham@gmail.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jack.abbott@hotmail.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jack.adams@hotmail.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacithomas23@live.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacjoy38@msn.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacjac1981@sbcglobal.net >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacitac@worldnet.att.net >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacjac5755@yahoo.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/smtp[24076]: DA5D9342592: to=< jacjaqfan07@yahoo.com >, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.08/0/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 0D60734259A)

Aug  3 05:53:45 system postfix/qmgr[2057]: DA5D9342592: removed

my smtp server have been SMTP Authentication Enabled, I have test without real username or password the email can not be sending.

any idea?

So far, I have delete the local account and recreate with the new password, reinstall Client OS, blacklist some unknown email sender from mailer-daemon report and block some ip (101.78.174.62 etc) with iptable. I think the broadcast messages has been stopped and I will check it for some day to make sure.
but I am not sure where is the spam source come from. I am not check the messages log yet, so I'll do it tomorrow.

Thanks for help Nick.

If you suspect an internal infection for each e-mail sent in /var/log/messages you get a sequence of messages, the first of which is something like "postfix/smtpd[18081]: connect from laptop.howitts.co.uk[172.17.2.111]" (this is from my logs). This identifies the originating machine. If you are getting lots of messages from that machine, then the first thing to do is cut it off. This can be done in the firewall with something like

iptables -i INPUT -s your_bad_lan_ip -p tcp -m multiport --dports 25,465,587 -j DROP

Then you can disinfect the machine. If the source maching turns out to be the server, then shut down the smtp server until you you find the source of the spam.

There are plenty online services which can check if your IP is on any blacklists, and if your IP is 101.78.174.62 then you appear to be on a few including BarracudaCentral.

You may also want to check for being an open relay. The test from here was inconclusive. There are plenty more available.

Nick Howitt wrote:

.. and the same question. Do you hand a dynamic ip? If so, are you sending mail directly or relaying it via your ISP?

My Server using static IP address and sending mail directly.

.. and the same question. Do you hand a dynamic ip? If so, are you sending mail directly or relaying it via your ISP?

I have the same issue and I think my zarafa have been spamming

Aug  5 13:50:51 system amavis[27605]: (27605-14) Passed SPAMMY, LOCAL [127.0.0.1] [101.78.174.62] <> -> <denny@rdpomss.com>, Message-ID: <jJuYW8iOq00003f3c@dc.hojet.local>, mail_id: 3XeeKwf6iE8A, Hits: 8.144, size: 6591, queued_as: 3C51B341553, 2854 ms

the similar line exist more than 2000 line at the maillog

Please Help.

Thanks.

See Richard's response.

Do you have a dynamic IP? If so, you will not be able to send mail directly as your IP will be on one of spamhaus's lists. You'll need to relay it through your ISP or a third party.

Otherwise look at your mail logs. Are you sending a lot of spam out?

How to remove spam in my server?
yes i block...

I'm going to make an educated guess here; is your IP a dynamic one? If so, most of the large ISPs will block your IP one way or another - probably using (as mentioned above) via Spamhaus or similar. Mail servers will be expected to have a) a static address, and b) a reverse DNS entry that they can verify. Why? because the majority of spammers use dynamic addresses.

How to fix; either relay via your ISPs mail server (using authenticated login), or get a business account from your ISP and ask for a) a static address and b) a reverse DNS entry to be setup because you want to run your own server. Last option; pay for an SMTP service from (eg) duocircle.com (that's what I do).

But this is not spam. If that IP 103.12.28.50 is yours, you are on spamlist, and you are blocked.