30

A bit confused when reading through the logs of my smtp/mail server, I'm turning this questions to you guys.

In the maillog files I'm seeing entries for postfix/smtp as well as postfix/smtpd. I can also see that there are possible settings for smtp as well as smtpd in the file main.cf

Trying to find some reasonable explanation through google search seemed to be impossible, so here is my question to you guys.

My server was kind of compromised and the spam mails where going through postfix/smtp and not smtpd. Please help me to understand. Thanks in advance!

Edwin Krause
  • 437
  • 1
  • 4
  • 6

1 Answers1

42

postfix/smtpd - This is typically the SMTP daemon process for handling incoming mail and routing to the appropriate internal location.

postfix/smtp - This is typically the SMTP daemon process for delivering mail out to the world.

If you're seeing alot of postfix/smtp log entries, these would be all of the SMTP connections sending spam out to other nodes.

This blog post gives a pretty good overview of interpreting postfix logs.

Justin Pearce
  • 1,005
  • 10
  • 13
  • 1
    This is just so confusing. Thanks to the guy who gave me the down vote, very mature. Considering your answer, why would I restrict my SMTP relay usage by this setting **smtpd_recipient_restrictions = permit_sasl_authenticated,** when my problem is **postfix/smtp** sending out spam mails? – Edwin Krause Jun 05 '15 at 18:43
  • @EdwinKrause Have you considered that there may be a program or script on your server that is connecting to the MTA locally and sending emails? The last few times I have had a spammy server was due to a compromised CMS (Wordpress/Joomla/etc) either becomming or allowing upload of a spam-sending script. – Justin Pearce Jun 05 '15 at 18:48
  • That's an interesting thought... I have seen some comment like this before... I'm not using Joomla or Wordpress, but fileupload is possible of course. What would be the easiest way to find the file? – Edwin Krause Jun 05 '15 at 18:53
  • I'm trying to search for recently updated files with WinSCP – Edwin Krause Jun 05 '15 at 19:07
  • Just to make sure I understand correctly... Since the spam mails are sent from postfix/smtp and not from postfix/smtpd, this means they are coming from a local script?? Am I correct here? – Edwin Krause Jun 05 '15 at 19:09
  • 1
    @EdwinKrause It is a reasonable assumption that the spam messages are coming from inside the server. If not, the next place to look would be compromised client (someone's email account getting hacked, malware on the end user node, etc). – Justin Pearce Jun 05 '15 at 19:47
  • 1
    Great, thanks for that... I'm currently fighting with enabling mail.log for logging the the php mail command – Edwin Krause Jun 05 '15 at 20:01