Sometimes, early in the morning (around 3am / 4am) my Server (a Linux Centos Server with Apache/Postfix) presents high volume of postfix and amavisd operations (I see this by "top" and "service amavisd status" commands, or looking at maillog file).
I can't believe that these are due to legal email operations from my customers, at this time. Much probably this must be due to someone using my server to relay spam email sending. Although my server does not have open relay, it is possible that some customer or someone with some customer's password, can be doing this.
I am trying to understand maillog data so that,when this happens I could find any useful info about this to help me in blocking these guys. See, for instance, this piece of the maillog file in attach. This is from a normal email sending operation. I send one email from "firstname.lastname@example.org" to "email@example.com". Could anyone explain these lines to me (if possible, one-by-one) so that I can understand each of them. E please, what of these lines tell me that this send operation used my Server as the relay (as smtp)?
Thanks a lot.