Hi, It is a couple of days that my ispconfig3 server sends hundreds of emails from domains not configured on it. Probably one of my mail user has been compromized. How could I discover who? Chris
If the server also hosts websites, a website might have been hacked. https://www.faqforge.com/linux/how-to-find-out-who-sent-a-email-in-postfix-mailqueue/
did you check the mailq ? the emails might reveal the origin. also try reading one of those emails - mails automatically sent from one web site usually are present in that email, maybe in the From: field or something similar. oops - I replied before reading Till's reply. The document contains that and much more.
Thanks to both of you. The problem is that my server send only about one spam mail per minute, and they are delivered immediately, so I can't find any spam mail using the postqueue -p command, I see only regular mails sent by correct user but with wrong address.
You should see in mail.log if they originate from localhost or from and external source and if they are from an external source, you should see which account was used to authenticate for this sending process.
To further inspect the messages while in queue you can temporary use a sender restriction that puts all outgoing mails into the hold queue.
Thanks to everyone. I decided to inspect the mail.log with a simple script put on crontab. I found the guilty, changed password and problem solved. Last, question, is possible in ISPCONFIG force my mail users to change their password every X days?
I'm unsure if forcing users to change their passwords regularly is good. I remember reading some studies that it might be even worse than not enforcing this, as users tend to pick less secure passwords then. So, as far as I know, most companies do not use such policies anymore today. That an account gets hacked can always happen. I guess that's something we have to live with and deal with if it happens.
