Please help me deal with the problem.
Recently, spam has begun to arrive, where the sender and recipient are users of our mail server.
Letters come from outside, there is no mention of authorization anywhere.
That is, a letter arrives from outside with the local address of the sender.
But the sender's host does not pass authorization, is not included in the "white" lists, all security settings are made.
How is this possible and where to look for a reason?
The letters contain the following information:
As you can see, the letter came from your account, so I have access to it, ..... transfer money to bitcoin such and such ....
short info:
Code: Select all
[zimbra@mail ~]$ /opt/zimbra/bin/zmcontrol -v
Release 8.8.11_GA_3737.RHEL6_64_20181207111719 RHEL6_64 FOSS edition, Patch 8.8.11_P2.
Code: Select all
[zimbra@mail ~]$ zmprov gs `zmhostname` zimbraMtaMyNetworks
# name mail.my.domain
zimbraMtaMyNetworks: 127.0.0.0/8 192.168.0.0/22 external_ip1/29 external_ip2/32 external_ip3/32
all SMTP checks are included,
open relay is not available,
DKIM, DMARK, SPF are present...
and all the information that I could find in the logs regarding this letter:
in the letter code:
Code: Select all
Received: from x4e300cc3.dyn.telefonica.de (x4e300cc3.dyn.telefonica.de [78.48.12.195])
by mail.my.domain (Postfix) with ESMTP id 5A6E05D82289
for <mailbox@my.domain>; Fri, 22 Nov 2019 01:51:59 +0200 (EET)
In log files:
Code: Select all
[root@mail log]# grep -bir '78.48.12.195' /var/log/*
/var/log/maillog:107188006:Nov 22 01:51:52 mail postfix/postscreen[6913]: CONNECT from [78.48.12.195]:19337 to [mail_server_internal_ip]:25
/var/log/maillog:107188107:Nov 22 01:51:58 mail postfix/postscreen[6913]: PASS NEW [78.48.12.195]:19337
/var/log/maillog:107188184:Nov 22 01:51:58 mail postfix/smtpd[6918]: connect from x4e300cc3.dyn.telefonica.de[78.48.12.195]
/var/log/maillog:107188281:Nov 22 01:51:59 mail postfix/smtpd[6918]: NOQUEUE: filter: RCPT from x4e300cc3.dyn.telefonica.de[78.48.12.195]: <mailbox@my.domain>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<mailbox@my.domain> to=<mailbox@my.domain> proto=ESMTP helo=<x4e300cc3.dyn.telefonica.de>
/var/log/maillog:107188544:Nov 22 01:51:59 mail postfix/smtpd[6918]: NOQUEUE: filter: RCPT from x4e300cc3.dyn.telefonica.de[78.48.12.195]: <mailbox@my.domain>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<mailbox@my.domain> to=<mailbox@my.domain> proto=ESMTP helo=<x4e300cc3.dyn.telefonica.de>
/var/log/maillog:107188807:Nov 22 01:51:59 mail postfix/smtpd[6918]: 5A6E05D82289: client=x4e300cc3.dyn.telefonica.de[78.48.12.195]
/var/log/maillog:107189120:Nov 22 01:52:00 mail postfix/smtpd[6918]: disconnect from x4e300cc3.dyn.telefonica.de[78.48.12.195] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Code: Select all
[root@mail log]# grep -bir '78.48.12.195' /opt/zimbra/log/*
...nothing...
Perhaps a configuration problem?
Then in what?
Tell me where to look, please ...
If necessary, I can provide the current configuration settings, tell me which ones ...
I very much hope for a quick response,
best regards,
Alexander.