Issue Postfix hacked - sending emails from non-existing accounts

[Filipe Silva]

Hi.

Someone is sending emails from our company postfix using non-existing accounts. Luckly the spam filter is filtering some emails and are being sent only to our employes.

I have added this in /etc/postfix/main.cf :

"
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_sender_login_mismatch, reject_unauth_pipelining, reject_unknown_reverse_client_hostname, permit_mynetworks, reject_non_fqdn_sender, reject_invalid_hostname
"

But every time I found a solution in the next day the spammers find a workaround.

This is an example seen in the maillog:

"
Dec 21 10:48:09 vpsxxxxxxx postfix/smtpd[2936]: NOQUEUE: reject: RCPT from unknown[177.1.75.239]: 554 5.7.1 Service unavailable; Client host [177.1.75.239] blocked using bl.spamcop.net; Blocked - see SpamCop.net - Blocking List ( bl.spamcop.net ) from=<Quentin@ourdomain.pt> to=<employeex@ourdomain.pt> proto=ESMTP helo=<[177.1.75.239]>
"
NOTE: I censored private information with: "ourdomain", "employeeX" and "vpsxxxxxxx"

I would appreciate any help,
Thanks.

EDIT: Just added "reject_unlisted_sender" to my "smtpd_sender_restrictions". Lets see how that goes. In the meanwhile I accept any feedback to improve the mail security.

 

[Bitpalast]

Where do you derive that the mail is sent from the company postfix server? To me it looks rather as if mail is sent from an external source to recipients on your server.

What does it have to do with Plesk?