How to understand this piece of maillog?

Sometimes, early in the morning (around 3am / 4am) my Server (a Linux Centos Server with Apache/Postfix) presents high volume of postfix and amavisd operations (I see this by "top" and "service amavisd status" commands, or looking at maillog file).

I can't believe that these are due to legal email operations from my customers, at this time. Much probably this must be due to someone using my server to relay spam email sending. Although my server does not have open relay, it is possible that some customer or someone with some customer's password, can be doing this.

I am trying to understand maillog data so that,when this happens I could find any useful info about this to help me in blocking these guys. See, for instance, this piece of the maillog file in attach. This is from a normal email sending operation. I send one email from "multisites@adveniat.com.br" to "multisites.com.br@itelefonica.com.br". Could anyone explain these lines to me (if possible, one-by-one) so that I can understand each of them. E please, what of these lines tell me that this send operation used my Server as the relay (as smtp)?

Thanks a lot.
Mario./
multisitesAsked:
Who is Participating?
 
ivailojCommented:
Where is bad sending :) example!?!

This what I see: is usual log: when you send:
"Open relay? Nonlocal recips but not originating: multisites.com.br@itelefonica.com.br"

You are permitted to send from your machine "anything that you want", that's remote server is who must  check whats going to enter and from who! It's strange that message are accepted from him.

If you want to check "Sender address verification for all email" look at:
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#forged_sender

If you see other like this it's SPAM :), some PC was bugs.

Please send other log that really troubles you.
0
 
multisitesAuthor Commented:
Sorry, I forgot the maillog file. Here is goes.
maillog.txt
0
 
cjl7freelance for hireCommented:
From where do you allow relaying?

Is your domain blacklisted (as an open relay, or as a spammer)?

If someone is using computers (hacked or not) from where you allow relaying that is "ok", at least as far as postfix goes. That doesn't mean that the emails sent aren't spam or otherwise unwanted.

The error suggest that the mx record isn't corresponding with the domain (I think), but not sure. I'm on the bus so I'll get back to you on that.

0
 
multisitesAuthor Commented:
All our customer's domains whose mailboxes are on this server have SPF records adequately configured. This Server has not open relay and it has RDNS (reversal). Ok, it can be listed eventually in one or two blacklists due to mass email from a customer or from someone who has one customer's password. That' why I need to understand these mailllog lines, so that I can, at any moment, "see" what is happening. Thanks.
PS: The piece of maillog I attached is from a good email sending, I myself sent that email to have the related maillog lines and understand it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.