This issue is getting more annoying. I run a postfix server on centos.I opened my maillog 4-5 days ago and noticed my server was being flooded with relayed emails. I check for viruses and a hundred other things. I think I have relays disabled. but from what it looks like, These emails are coming in FROM a fake email address from my domain ie. my domain is gigreview.... and these fake emails are from fake_user@gigreview...... This has lagged my server a little bit, and also noticed that my servers IP address has been banned from a few email server. I have tried a few other things such as using smtpd_sender_restrictions and smtpd_client_restrictions in my main.cf but anything that is spose to work, has "reject" in the line, when ever i have reject in the line, all proper incoming emails are rejected instead.. Can some one help with this issue??
Did you check if any of your hosted sites's beeing hacked? Did you enable mail()-logging in your php.ini for example to trace suspect behaviour? Test your config with http://www.mailradar.com/openrelay/
I am having something similar happening. someone is relaying through my server using webmaster @ my.domain. I've run through the system and can't find any email account on my.domain that has an account, forward or alias with webmaster. I've tested with the open relay above and that's not it. I've even disabled all of the email accounts for this domain and that didn't help. This is ISPConfig and the only thing that stops the relaying is to disable the clients entire account. How can I block this account from relaying on my server?
Disableing mail accounts won't help if there's something going on at his website - check his web/-folder, I highly recommend enableing mail()-logging or try grepping his web-folder for something like "eval(" or something like that. If you disable his account, his websites are disabled - so if that's the only way to stop spam ... it's kinda good, meaning the customer himself is not infected with malware and his password might also be unknown to someone. Check his web folder ( or look at the access-log, some infected scripts might be called using POST, unless u want to enable POST-data logging you might just check files using some guessing )
Hi Ben, You may wish to look at this thread to compare your Postfix settings; main.cf and master.cf. I had a similar problem once, so you might have a look at other threads (here, here, and here) I posted on setup my Postfix. I have mine setup such that you must autheticate for sending, in addition to receiving. This might help you solve your problem. Cheers, Nap
Everyone, I'm still getting a lot of spam relayed through my mailserver as webmaster @mydomain.com. I don't have a webmaster email account. Everything has been updated. I check also in Word Press and verified that it is up to date and that Word Press doesn't have a webmaster @mydomain.com account. I don't currently have this problem with any of the other accounts on the ISPC server. Help, Mac
I can not implement SPF. Actually I don't know how SPF can work in a world like today where people are checking their emails from cell phones and other devices all over the world. As I have said, I'm using ISPConfig 3 and it is either a problem with ISPC or with Word Press. Email continues to be relayed even when I have the email disabled for mydomain.com. Mac
Mails send by WordPress (the PHP mail function) have the sender address webmaster@, so it is most likely a WordPress issue or hack). Please post the lines of such a relayed mail from mail.log.
Check my post #4 especially mail()-logging - you can enable that in your php.ini. https://secure.php.net/manual/en/mail.configuration.php#ini.mail.log SPF has nothing todo with from where a end user reads his/her mail. As an owner of a domain you set a list of which servers are allowed to send mails in the name of that domain, so do others and you can easily check ( as a server ) wether IP xyz is allowed to use domain.tld in its FROM-part. For example: reputable-chocolate-factory.com has its own mail server 1.2.3.4 and add a TXT entry to their nameserver describing only 1.2.3.4 is allowed to send send mail in reputable-chocolate-factory.com name then other servers won't allow a hacked dialup-client/other server to send mail in their name, like potential locky viruses. It's not 100% fail save but it does block some sort of spam already.
