I have recently set up up a Postfix Mail Server on Ubuntu 20.04. This server is used mainly to relay messages from authenticated users to the outside world. This is so applications such as payroll or our various web applications can send emails to users.
Since outgoing mail is sometimes marked as spam (resulting in non-delivery to the end-user) we have also set up postfix to save a copy of all messages to an archive mailbox in Dovecot which can be accessed by IMAP.
I have not yet started using it yet, but in testing it appears to be working.
I also receive daily server stats so I can monitor if it has been compromised, or is otherwise working correctly.
Today this showed my server sent an email that appears to be spam, and I do not understand where it came from.
My mail logs show it was received by the postfix/pickup process, which I believe means it was generated locally using the maildrop directory. However, I have no idea what could cause this.
Mail.log is below with my actual domain replaced with 'my-domain.co.uk'.
Oct 20 20:51:33 smtp postfix/pickup[122235]: 6932F1802EE: uid=0 from=<[email protected]>
Oct 20 20:51:33 smtp postfix/cleanup[122417]: 6932F1802EE: message-id=<[email protected]>
Oct 20 20:51:33 smtp postfix/qmgr[96237]: 6932F1802EE: from=<[email protected]>, size=362, nrcpt=2 (queue active)
Oct 20 20:51:33 smtp dovecot: lmtp(122427): Connect from local
Oct 20 20:51:33 smtp dovecot: lmtp(archive)<122427><6rUBHUVzcGE73gEAMbpG8w>: msgid=<[email protected]>: saved mail to INBOX
Oct 20 20:51:33 smtp dovecot: lmtp(122427): Disconnect from local: Client has quit the connection (state=READY)
Oct 20 20:51:33 smtp postfix/lmtp[122424]: 6932F1802EE: to=<[email protected]>, relay=smtp.my-domain.co.uk[private/dovecot-lmtp], delay=0.08, delays=0.02/0.02/0.03/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> 6rUBHUVzcGE73gEAMbpG8w Saved)
Oct 20 20:51:34 smtp postfix/smtp[122422]: 6932F1802EE: to=<[email protected]>, relay=smtp-in.libero.it[213.209.1.129]:25, delay=1.4, delays=0.02/0.02/0.52/0.89, dsn=2.0.0, status=sent (250 dHcbmPvGwsN2WdHcbmMIwS mail accepted for delivery)
Oct 20 20:51:34 smtp postfix/qmgr[96237]: 6932F1802EE: removed
Has my server been compromised somehow? If so how do I find the culprit?
Also, it looks like the maildrop directory is used by the daily cron job which sends me the Mail Stats, so I don't think I can simply disable the pickup process.
The last thing I have checked is the auth.log. The only successful logins in the last few days I am fairly confident are all me. Although there are a lot of failed attempts.
UPDATE:
postconf -Mf output:
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
And postconf -n (again changing my actual domain to my-domain.co.uk)
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_bcc = [email protected]
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
inet_interfaces = all
inet_protocols = all
local_recipient_maps = hash:/etc/postfix/local_recipient_maps
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 50000000
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mydestination = smtp.my-domain.co.uk, localhost
myhostname = smtp.my-domain.co.uk
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.my-domain.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/smtp.my-domain.co.uk/privkey.pem
smtpd_tls_security_level = may