I was checking my munin tables and saw a huge list of deferred mails in postfix and looking into /var/log/mail.log gave me an idea: I am sending mails to unknown mail addresses:
Dec 23 08:21:32 h2065299 postfix/pickup[10816]: 63F5811A0384: uid=33 from=<www-data>
Dec 23 08:21:32 h2065299 postfix/cleanup[20915]: 63F5811A0384: message-id=<301b8e057416d03df3ac7c11f1aa5bda@www.my-server.com>
Dec 23 08:21:32 h2065299 postfix/qmgr[7878]: 63F5811A0384: from=<www-data@my-server.com>, size=2254, nrcpt=1 (queue active)
Dec 23 08:21:32 h2065299 postfix/smtp[20917]: 63F5811A0384: to=<underlyingbzvn+zprtra@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.69.26]:25, $
Dec 23 08:21:32 h2065299 postfix/qmgr[7878]: 63F5811A0384: removed
this is not really different to a forced "good" email
Dec 23 09:41:51 h2065299 postfix/pickup[28905]: EE51611A0393: uid=33 from=<www-data>
Dec 23 09:41:51 h2065299 postfix/cleanup[30516]: EE51611A0393: message-id=<2736115f98e8293f5e8b657b22e66b4d@www.my-server.com>
Dec 23 09:41:52 h2065299 postfix/qmgr[28906]: EE51611A0393: from=<www-data@my-server.com>, size=977, nrcpt=1 (queue active)
Dec 23 09:42:22 h2065299 postfix/smtp[30518]: connect to gmail-smtp-in.l.google.com[2a00:1450:4008:c01::1b]:25: Connection timed out
Dec 23 09:42:22 h2065299 postfix/smtp[30518]: EE51611A0393: to=<my-name@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.69.27]:25, delay=$
Dec 23 09:42:22 h2065299 postfix/qmgr[28906]: EE51611A0393: removed
We are running three wordpresses and some scipt folder on the server. The WPs are up-to-data and I think we have correct file permissions on them.
What can cause www-data to send mails to unknown users?!