Semi-Open Relay

Ok so I have a semi-open relay on my mail server.
It requires a valid username but no password for that user to send mail.
A spammer got hold of my account and began sending massive amounts of spam with it.
Is it something in my main.cf? I checked the database and it seemed fine.

Below is a copy of my main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = hcp.crimtechsecurity.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = hcp.XXXXXXXX.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, prox
y:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/vi
rtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
inet_protocols = all
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/mysql-v
irtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth
_destination
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/
postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virt
ual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipien
t_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonica
l_maps $relocated_maps $transport_maps $mynetworks
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual
_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual
_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0
smtp_tls_security_level = may
authorized_submit_users = !root, static:anyone
smtpd_data_restrictions = reject_unauth_pipelining

 

Mail Logs

This is what I am seeing on the maillogs:

Apr 27 06:20:02 vps postfix/pickup[32222]: 7E93840E0D09: uid=105 from=<smmsp>
Apr 27 06:20:02 vps postfix/cleanup[1451]: 7E93840E0D09: message-id=<20140427102
[email protected]X>
Apr 27 06:20:02 vps postfix/qmgr[3188]: 7E93840E0D09: from=<[email protected]
curity.com>, size=719, nrcpt=1 (queue active)
Apr 27 06:20:03 vps postfix/smtpd[1464]: warning: database /var/lib/mailman/data
/virtual-mailman.db is older than source file /var/lib/mailman/data/virtual-mailman
Apr 27 06:20:03 vps postfix/smtpd[1464]: connect from localhost.localdomain[127.0.0.1]
Apr 27 06:20:03 vps postfix/smtpd[1464]: 40E4640E0D0A: client=localhost.localdomain[127.0.0.1]
Apr 27 06:20:03 vps postfix/cleanup[1451]: 40E4640E0D0A: message-id=<[email protected]>
Apr 27 06:20:03 vps postfix/qmgr[3188]: 40E4640E0D0A: from=<[email protected]>, size=1231, nrcpt=1 (queue active)
Apr 27 06:20:03 vps postfix/smtpd[1464]: disconnect from localhost.localdomain[127.0.0.1]
Apr 27 06:20:03 vps amavis[26891]: (26891-09) Passed CLEAN {RelayedInbound}, <[email protected]> -> <[email protected]>, Message-ID: <201404271
[email protected]X>, mail_id: 4RjEAHqiGNWi, Hits: -0.001, size: 719, queued_as: 40E4640E0D0A, 733 ms
Apr 27 06:20:03 vps postfix/smtp[1453]: 7E93840E0D09: to=<[email protected]>, orig_to=<root>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.78, delays=0.02/0.02
/0.04/0.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 40E4640E0D0A)
Apr 27 06:20:03 vps postfix/qmgr[3188]: 7E93840E0D09: removed
Apr 27 06:20:03 vps postfix/local[1467]: 40E4640E0D0A: to=<[email protected]>, relay=local, delay=0.09, delays=0.01/0.02/0/0.06, dsn=2.0.0, status=sent (del
ivered to command: procmail -a "$EXTENSION")
Apr 27 06:20:03 vps postfix/qmgr[3188]: 40E4640E0D0A: removed
Apr 27 06:23:54 vps postfix/qmgr[3188]: DEE1740E1565: from=<[email protected]>, size=3760, nrcpt=20 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 47E3440E1463: from=<[email protected]>, size=5135, nrcpt=14 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 7F55C40E1567: from=<[email protected]>, size=3809, nrcpt=14 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 7DF0040E155E: from=<[email protected]>, size=3777, nrcpt=20 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 7F16840E156F: from=<[email protected]>, size=3150, nrcpt=11 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 353F940E0D20: from=<[email protected]>, size=5604, nrcpt=20 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 377B940E14CF: from=<[email protected]>, size=5579, nrcpt=20 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 6079340E152F: from=<[email protected]>, size=5522, nrcpt=20 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 003F240E0CAB: from=<[email protected]>, size=5596, nrcpt=20 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 8A8B140E1571: from=<[email protected]>, size=3783, nrcpt=20 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: 8880140E0C95: from=<[email protected]>, size=5511, nrcpt=20 (queue active)
Apr 27 06:23:54 vps postfix/qmgr[3188]: EA2DA40E0C91: from=<[email protected]>, size=5566, nrcpt=18 (queue active)
Apr 27 06:23:54 vps postfix/smtp[1510]: 47E3440E1463: to=<[email protected]>, relay=cdptpa-pub-iedge-vip.email.rr.com[107.14.166.70]:25, delay=366219, delays=3
66219/0.02/0.12/0, dsn=4.0.0, status=deferred (host cdptpa-pub-iedge-vip.email.rr.com[107.14.166.70] refused to talk to me: 554 ERROR: Mail Refused - See http://csi.clo
udmark.com/reset-request/?ip

 

Messages

The messages were going outside of my server.

I ran a check for malware and rkhunter on the server.

It sucks because its my actual email address that they are using, but I tested last night and it appears the if you know a email address on the server you can relay using it.

Any other logs or ideas?

 

Reboot fixed it

A reboot resolved the problem. It was odd. I reset all mail passwords and rebooted.
Maybe one of my mail clients were infected.