Bom dia,
Caros colegas, trabalho em uma empresa que utiliza o postfix+mysql+amavis+spamassassin como serviço de email. A algum tempo os usuarios começaram a receber email com o nosso proprio dominio porem de usuario inexistentes tipo: [email protected] . Isso tem me atrapalhando muito e como nao sou muito experiente com o postfix, tenho impressão que ou o nosso relay está aberto e alguem esta enviando spam por ele, ou alguem consegiu invadir meu servidor e ta rodando algum script. Abaixo segue o log do maillog no postfix:
Apr 10 09:27:06 ns2 postfix/smtpd[10955]: warning: 85.20.126.147: hostname 85-20-126-147-dynamic.albacom.net verification failed: Name or service not known
Apr 10 09:27:06 ns2 postfix/smtpd[10955]: connect from unknown[85.20.126.147]
Apr 10 09:27:08 ns2 postfix/smtpd[10955]: 7E66D1380DA: client=unknown[85.20.126.147]
Apr 10 09:27:09 ns2 postfix/cleanup[30332]: 7E66D1380DA: message-id=<[email protected]>
Apr 10 09:27:09 ns2 postfix/qmgr[14937]: 7E66D1380DA: from=<[email protected]>, size=2509, nrcpt=1 (queue active)
Apr 10 09:27:09 ns2 spamd[24230]: spamd: connection from localhost [127.0.0.1] at port 34096
Apr 10 09:27:09 ns2 spamd[24230]: spamd: setuid to clamav succeeded
Apr 10 09:27:09 ns2 spamd[24230]: spamd: processing message <[email protected]> for clamav:1003
Apr 10 09:27:09 ns2 spamd[24230]: spamd: clean message (2.0/5.0) for clamav:1003 in 0.1 seconds, 2490 bytes.
Apr 10 09:27:09 ns2 spamd[24230]: spamd: result: . 1 - BAYES_00,BODY_ENHANCEMENT2,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE scantime=0.1,size=2490,user=clamav,uid=1003,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=34096,mid=<[email protected]>,bayes=1.11022302462516e-16,autolearn=no
Apr 10 09:27:09 ns2 spamd[23658]: prefork: child states: II
Apr 10 09:27:09 ns2 postfix/pickup[15064]: D72BC1380FF: uid=1003 from=<[email protected]>
Apr 10 09:27:09 ns2 postfix/cleanup[18273]: D72BC1380FF: message-id=<[email protected]>
Apr 10 09:27:09 ns2 postfix/pipe[30916]: 7E66D1380DA: to=<[email protected]>, relay=clamav, delay=2, delays=1.8/0/0/0.16, dsn=2.0.0, status=sent (delivered via clamav service)
Apr 10 09:27:09 ns2 postfix/qmgr[14937]: 7E66D1380DA: removed
Apr 10 09:27:09 ns2 postfix/qmgr[14937]: D72BC1380FF: from=<[email protected]>, size=2867, nrcpt=1 (queue active)
Apr 10 09:27:09 ns2 postfix/virtual[28970]: D72BC1380FF: to=<[email protected]>, relay=virtual, delay=0.02, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Apr 10 09:27:09 ns2 postfix/qmgr[14937]: D72BC1380FF: removed
Apr 10 09:27:10 ns2 postfix/smtpd[10955]: disconnect from unknown[85.20.126.147]
como vcs podem ver destacado de vermelho, percebi que um ip conecta no meu postfix manda as mensagens usando meu dominio e depois desconecta.
Onde está o problema? E o que posso fazer para corrigi-lo!