I have an Ubuntu 20.04.5 LTS with multiple Wordpress website running on Nginx. I installed postfix and configured it to stop relaying emails. I have an antivirus freshclam running.
Someone or something is sending emails from my server using my gmail account. How do I even start investigating??
This is my /etc/postfix/main.cf
compatibility_level = 2
myhostname = Ubuntu-T.members.linode.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587
mynetworks = !147.78.103.107, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CApath=/etc/ssl/certs
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_restrictions = reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_non_fqdn_recipient,>
Enable SASL authentication
smtp_sasl_auth_enable = yes
Disallow methods that allow anonymous authentication
smtp_sasl_security_options = noanonymous
Location of sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
Enable STARTTLS encryption
smtp_tls_security_level = encrypt
Location of CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
DKIM
-----------------------
milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
This is a sample of my mail.log sending spams
May 30 06:16:47 Ubuntu-T postfix/pickup[35351]: 87478220358: uid=33 from=<www-data>
May 30 06:16:47 Ubuntu-T postfix/cleanup[37404]: warning: connect to Milter service inet:localhost:8891: Connection refused
May 30 06:16:47 Ubuntu-Teeglobal postfix/cleanup[37404]: 87478220358: message-id=<1tTTSXm6L4yYiorX5Evh7r7kQaS4vbiL22d3bXKeYo@david.xyz>
May 30 06:16:47 Ubuntu-Teeglobal postfix/qmgr[982]: 87478220358: from=<www-data@Ubuntu-T.members.linode.com>, size=1272, nrcpt=1 (queue active)
May 30 06:16:49 Ubuntu-Teeglobal postfix/smtp[37406]: 87478220358: to=<webredoxltd@gmail.com>, relay=smtp.gmail.com[142.251.161.108]:587, delay=1.6, delays=0.03/0.02/0.47/1.1, dsn=2.0.0, status=sent (250 2.0.0 OK 1685441809 s13-20020a056638218d00b0041ab38c1a4esm629321jaj.60 - gsmtp)
