unknown domain "pl.d.sender-sib.com" and "gmail.com" under /var/vmail/ on ubuntu server 20.04 running postfix/dovecot/spamassassin/amavis

I am running postfix/dovecot with spamassasin and amavis on Ubuntu server 20.04. I am also using this server as an LEMP Wordpress server. I have configured everything (email wise) according to Linuxbabe.com tutorials located at [https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu][1]

Recently, while navigating my directories from the terminal, in noticed the /var/vmail/ directory which contains all of my proper email domains i.e. example.com example2.com example3.com and example4.com.

However, there I have spotted an oddity and am wondering if someone got into or hacked my email system (highly unlikely) somehow. There is a domain (in the form of a folder name) in that directory called "pl.d.sender-sib.com" as well as a folder called "gmail.com".

ls -la /var/vmail/
drwxr-xr-x  9 vmail vmail 4096 Dec 29 09:03 .
drwxr-xr-x 16 root  root  4096 Dec  9 12:39 ..
drwx------  4 vmail vmail 4096 Jun 16  2021 mydomain1.com
drwx------  9 vmail vmail 4096 Sep 26 11:51 mydomain2.com
drwx------  3 vmail vmail 4096 Sep  9 17:17 gmail.com
drwx------  6 vmail vmail 4096 Dec 30 16:48 mydomain3.com
drwx------  7 vmail vmail 4096 Jan 21 18:41 mydomain4.com
drwx------  3 vmail vmail 4096 Dec 29 09:03 pl.d.sender-sib.com
drwx------  2 vmail vmail 4096 Feb  2 16:52 spamassassin

Inside the gmail.com directory is: /var/vmail/gmail.com/myemailaddressWithout"@gmail.com"/spamassassin/bayes_toks

and

/var/vmail/gmail.com/myemailaddressWithout"@gmail.com"/spamassassin/bayes_seen

Inside the pl.d.sender-sib.com directory is:

/var/vmail/pl.d.sender-sib.com/unsubscribe-t/spamassassin/bayes_seen

and

/var/vmail/pl.d.sender-sib.com/unsubscribe-t/spamassassin/bayes_toks

Could this be the work of an attacker and have I been hacked? Or are these directories that have been created by maybe spamassassin or amavis, wordpress emails, or some security program that I installed? How can I figure out where these directories came from, and is it safe or kosher or safe to delete these? Please let me know as soon as possible! I do not want to be working on a compromised server, even though I am certain my server is relatively secure. [1]: https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu

I know that i am 1 year late but as i write this , i am testing sendinblue transactional email API service and that domain sender-sib.com makes an appearance in the email headers. Below is a snippet of my headers

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@xxxxxxxxx header.s=mail header.b=RfTsdBxT;
       spf=pass (google.com: domain of [email protected] designates 77.32.148.24 as permitted sender) smtp.mailfrom="[email protected]"
Return-Path: <[email protected]>
Received: from gx.d.sender-sib.com (gx.d.sender-sib.com. [77.32.148.24])
        by mx.google.com with ESMTPS id f5-20020a7bcc05000000b003f047856994si1756081wmh.199.2023.04.19.11.04.03
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 19 Apr 2023 11:04:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 77.32.148.24 as permitted sender) client-ip=77.32.148.24;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@xxxxxxxxx header.s=mail header.b=RfTsdBxT;
       spf=pass (google.com: domain of [email protected] designates 77.32.148.24 as permitted sender) smtp.mailfrom="[email protected]"

Based on that , i conclude that sender-sib.com is property of sendinblue therefore you can rest easy seeing that domain.

The files bayes_toks, bayes_seen are created by SpamAssassin for each email user on your system. For some reason, your system is also passing through SpamAssassin some messages addressed to external domains like gmail.com or pl.d.sender-sib.com. You need to review your mail logs and your mail system configuration to check why this happens.