I'm the technical assistant at a small-town public library where we run our own e-mail. If it matters, it's Postfix on an Ubuntu 18.04 box. Gateway / firewall is a 16.04 box with port forwarding set up through a script that runs at boot, issuing a long sequence of iptables commands.
Today our IP address got onto two Spamhaus block lists, first the SBL and then also the XBL. Last week, after we had an outgoing message bounce, I saw we were on the SBL list. I went through the process to remove it and it was removed. But the problem came roaring back this afternoon, and the web server at Spamhaus pretended to accept my requests to remove the IP, but it stayed on the list and after a few runs it also turned up on the XBL.
I called our internet provider and their network engineer went through the removal steps and actually got it removed. (Or perhaps my first request took that long to process.)
Where should I go from here? I am only a novice systems administrator and what I don't know could fill a... library. To prevent this from happening again, I need to find out what, if anything, is sending spam. I've tried tcpdump on the external NIC for the gateway watching port 25 but I didn't see anything suspicious (to me) during the time I looked (after the fact, and it wasn't long before I moved on to something else, I admit). But I don't even know what's going in and what's going out, and I'm in way over my head. I installed Wireshark on the gateway but soon removed it because it seemed to require a graphical desktop to use. I looked at /var/log/mail.log but I don't see anything that looks like bulk mail going out (but what would that look like?).
Am running sudo tcpdump -i enp3s0 port 25 | tee feb26-27-overnight.log
overnight (on the gateway, monitoring the external-facing NIC) in hopes of finding something to glom onto. But it would be nice if there were a straightforward way to find out what's going on without requiring a cyberforensic investigation just to be able to send e-mail to people.
Sequel! How do I ensure that only my e-mail server is sending e-mail through my network?