1

Topic: Mail sending span like open relay.

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6 (0.9.4 update to 0.96)
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello Guys, could you help me with some doubts?
My email server is sending spam for unknown domains.

Ex: email@unknown.com to email@unknown.com

And sending emails of all my email accounts (my domain) to other domain, sending alot of spam (200k mails per day).
I made the change of the passwords of all the emails, but it did not solve.
Anyone have any ideas?

My postconf -f:

postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
2bounce_notice_recipient = postmaster
access_map_defer_code = 450
access_map_reject_code = 554
address_verify_cache_cleanup_interval = 12h
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map = btree:$data_directory/verify_cache
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = ${stress?1}${stress:3}
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = $double_bounce_sender
address_verify_sender_dependent_default_transport_maps =
    $sender_dependent_default_transport_maps
address_verify_sender_dependent_relayhost_maps =
    $sender_dependent_relayhost_maps
address_verify_sender_ttl = 0s
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
allow_min_user = no
allow_percent_hack = no
allow_untrusted_routing = no
alternate_config_directories =
always_add_missing_headers = no
always_bcc =
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_at_myorigin = yes
append_dot_mydomain = yes
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 50000
bounce_template_file =
broken_sasl_auth_clients = no
bsmtp_delivery_slot_cost = $default_delivery_slot_cost
bsmtp_delivery_slot_discount = $default_delivery_slot_discount
bsmtp_delivery_slot_loan = $default_delivery_slot_loan
bsmtp_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
bsmtp_destination_concurrency_limit = $default_destination_concurrency_limit
bsmtp_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
bsmtp_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
bsmtp_destination_rate_delay = $default_destination_rate_delay
bsmtp_destination_recipient_limit = $default_destination_recipient_limit
bsmtp_extra_recipient_limit = $default_extra_recipient_limit
bsmtp_initial_destination_concurrency = $initial_destination_concurrency
bsmtp_minimum_delivery_slots = $default_minimum_delivery_slots
bsmtp_recipient_limit = $default_recipient_limit
bsmtp_recipient_refill_delay = $default_recipient_refill_delay
bsmtp_recipient_refill_limit = $default_recipient_refill_limit
bsmtp_time_limit = $command_time_limit
canonical_classes = envelope_sender, envelope_recipient, header_sender,
    header_recipient
canonical_maps =
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory =
command_expansion_filter =
    1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter = smtp-amavis:[127.0.0.1]:10024
cyrus_sasl_config_path =
daemon_directory = /usr/lib/postfix
daemon_table_open_error_is_fatal = no
daemon_timeout = 18000s
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list =
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
    $daemon_directory/$process_name $process_id & sleep 5
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_failed_cohort_limit = 1
default_destination_concurrency_limit = 20
default_destination_concurrency_negative_feedback = 1
default_destination_concurrency_positive_feedback = 1
default_destination_rate_delay = 0s
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_filter_nexthop =
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
    blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 20000
default_recipient_refill_delay = 5s
default_recipient_refill_limit = 100
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports =
delay_logging_resolution_limit = 2
delay_notice_recipient = postmaster
delay_warning_time = 0h
deliver_lock_attempts = 20
deliver_lock_delay = 1s
destination_concurrency_feedback_debug = no
detect_8bit_encoding_header = yes
disable_dns_lookups = no
disable_mime_input_processing = no
disable_mime_output_conversion = no
disable_verp_bounces = no
disable_vrfy_command = yes
dnsblog_reply_delay = 0s
dnsblog_service_name = dnsblog
dont_remove = 0
double_bounce_sender = double-bounce
dovecot_delivery_slot_cost = $default_delivery_slot_cost
dovecot_delivery_slot_discount = $default_delivery_slot_discount
dovecot_delivery_slot_loan = $default_delivery_slot_loan
dovecot_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
dovecot_destination_concurrency_limit = $default_destination_concurrency_limit
dovecot_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
dovecot_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
dovecot_destination_rate_delay = $default_destination_rate_delay
dovecot_destination_recipient_limit = 1
dovecot_extra_recipient_limit = $default_extra_recipient_limit
dovecot_initial_destination_concurrency = $initial_destination_concurrency
dovecot_minimum_delivery_slots = $default_minimum_delivery_slots
dovecot_recipient_limit = $default_recipient_limit
dovecot_recipient_refill_delay = $default_recipient_refill_delay
dovecot_recipient_refill_limit = $default_recipient_refill_limit
dovecot_time_limit = $command_time_limit
duplicate_filter_limit = 1000
empty_address_default_transport_maps_lookup_key = <>
empty_address_recipient = MAILER-DAEMON
empty_address_relayhost_maps_lookup_key = <>
enable_long_queue_ids = no
enable_original_recipient = no
error_delivery_slot_cost = $default_delivery_slot_cost
error_delivery_slot_discount = $default_delivery_slot_discount
error_delivery_slot_loan = $default_delivery_slot_loan
error_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
error_destination_concurrency_limit = $default_destination_concurrency_limit
error_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
error_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
error_destination_rate_delay = $default_destination_rate_delay
error_destination_recipient_limit = $default_destination_recipient_limit
error_extra_recipient_limit = $default_extra_recipient_limit
error_initial_destination_concurrency = $initial_destination_concurrency
error_minimum_delivery_slots = $default_minimum_delivery_slots
error_notice_recipient = postmaster
error_recipient_limit = $default_recipient_limit
error_recipient_refill_delay = $default_recipient_refill_delay
error_recipient_refill_limit = $default_recipient_refill_limit
error_service_name = error
execution_directory_expansion_filter =
    1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
expand_owner_alias = no
export_environment = TZ MAIL_CONFIG LANG
fallback_transport =
fallback_transport_maps =
fast_flush_domains = $relay_domains
fast_flush_purge_time = 7d
fast_flush_refresh_time = 12h
fault_injection_code = 0
flush_service_name = flush
fork_attempts = 5
fork_delay = 1s
forward_expansion_filter =
    1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
frozen_delivered_to = yes
hash_queue_depth = 1
hash_queue_names = deferred, defer
header_address_token_limit = 10240
header_checks = pcre:/etc/postfix/header_checks
header_size_limit = 102400
helpful_warnings = yes
home_mailbox =
hopcount_limit = 50
html_directory = no
ifmail_delivery_slot_cost = $default_delivery_slot_cost
ifmail_delivery_slot_discount = $default_delivery_slot_discount
ifmail_delivery_slot_loan = $default_delivery_slot_loan
ifmail_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
ifmail_destination_concurrency_limit = $default_destination_concurrency_limit
ifmail_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
ifmail_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
ifmail_destination_rate_delay = $default_destination_rate_delay
ifmail_destination_recipient_limit = $default_destination_recipient_limit
ifmail_extra_recipient_limit = $default_extra_recipient_limit
ifmail_initial_destination_concurrency = $initial_destination_concurrency
ifmail_minimum_delivery_slots = $default_minimum_delivery_slots
ifmail_recipient_limit = $default_recipient_limit
ifmail_recipient_refill_delay = $default_recipient_refill_delay
ifmail_recipient_refill_limit = $default_recipient_refill_limit
ifmail_time_limit = $command_time_limit
ignore_mx_lookup_error = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY
    LANG=C
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
internal_mail_filter_classes =
invalid_hostname_reject_code = 501
ipc_idle = 5s
ipc_timeout = 3600s
ipc_ttl = 1000s
line_length_limit = 2048
lmdb_map_size = 16777216
lmtp_address_preference = any
lmtp_assume_final = no
lmtp_bind_address =
lmtp_bind_address6 =
lmtp_body_checks =
lmtp_cname_overrides_servername = no
lmtp_connect_timeout = 0s
lmtp_connection_cache_destinations =
lmtp_connection_cache_on_demand = yes
lmtp_connection_cache_time_limit = 2s
lmtp_connection_reuse_count_limit = 0
lmtp_connection_reuse_time_limit = 300s
lmtp_data_done_timeout = 600s
lmtp_data_init_timeout = 120s
lmtp_data_xfer_timeout = 180s
lmtp_defer_if_no_mx_address_found = no
lmtp_delivery_slot_cost = $default_delivery_slot_cost
lmtp_delivery_slot_discount = $default_delivery_slot_discount
lmtp_delivery_slot_loan = $default_delivery_slot_loan
lmtp_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
lmtp_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
lmtp_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
lmtp_destination_rate_delay = $default_destination_rate_delay
lmtp_destination_recipient_limit = $default_destination_recipient_limit
lmtp_discard_lhlo_keyword_address_maps =
lmtp_discard_lhlo_keywords =
lmtp_dns_resolver_options =
lmtp_dns_support_level =
lmtp_enforce_tls = no
lmtp_extra_recipient_limit = $default_extra_recipient_limit
lmtp_generic_maps =
lmtp_header_checks =
lmtp_host_lookup = dns
lmtp_initial_destination_concurrency = $initial_destination_concurrency
lmtp_lhlo_name = $myhostname
lmtp_lhlo_timeout = 300s
lmtp_line_length_limit = 998
lmtp_mail_timeout = 300s
lmtp_mime_header_checks =
lmtp_minimum_delivery_slots = $default_minimum_delivery_slots
lmtp_mx_address_limit = 5
lmtp_mx_session_limit = 2
lmtp_nested_header_checks =
lmtp_per_record_deadline = no
lmtp_pix_workaround_delay_time = 10s
lmtp_pix_workaround_maps =
lmtp_pix_workaround_threshold_time = 500s
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
lmtp_quit_timeout = 300s
lmtp_quote_rfc821_envelope = yes
lmtp_randomize_addresses = yes
lmtp_rcpt_timeout = 300s
lmtp_recipient_limit = $default_recipient_limit
lmtp_recipient_refill_delay = $default_recipient_refill_delay
lmtp_recipient_refill_limit = $default_recipient_refill_limit
lmtp_reply_filter =
lmtp_rset_timeout = 20s
lmtp_sasl_auth_cache_name =
lmtp_sasl_auth_cache_time = 90d
lmtp_sasl_auth_enable = no
lmtp_sasl_auth_soft_bounce = yes
lmtp_sasl_mechanism_filter =
lmtp_sasl_password_maps =
lmtp_sasl_path =
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
lmtp_send_dummy_mail_auth = no
lmtp_send_xforward_command = no
lmtp_sender_dependent_authentication = no
lmtp_skip_5xx_greeting = yes
lmtp_skip_quit_response = no
lmtp_starttls_timeout = 300s
lmtp_tcp_port = 24
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_block_early_mail_reply = no
lmtp_tls_cert_file =
lmtp_tls_ciphers = export
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_eccert_file =
lmtp_tls_eckey_file = $lmtp_tls_eccert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_fingerprint_cert_match =
lmtp_tls_fingerprint_digest = md5
lmtp_tls_force_insecure_host_tlsa_lookup = no
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_scert_verifydepth = 9
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_trust_anchor_file =
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
lmtp_xforward_timeout = 300s
local_command_shell =
local_delivery_slot_cost = $default_delivery_slot_cost
local_delivery_slot_discount = $default_delivery_slot_discount
local_delivery_slot_loan = $default_delivery_slot_loan
local_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
local_destination_concurrency_limit = 2
local_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
local_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
local_destination_rate_delay = $default_destination_rate_delay
local_destination_recipient_limit = 1
local_extra_recipient_limit = $default_extra_recipient_limit
local_header_rewrite_clients = permit_inet_interfaces
local_initial_destination_concurrency = $initial_destination_concurrency
local_minimum_delivery_slots = $default_minimum_delivery_slots
local_recipient_limit = $default_recipient_limit
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_recipient_refill_delay = $default_recipient_refill_delay
local_recipient_refill_limit = $default_recipient_refill_limit
local_transport = local:$myhostname
luser_relay =
mail_name = Postfix
mail_owner = postfix
mail_release_date = 20141019
mail_spool_directory = /var/mail
mail_version = 2.11.3
mailbox_command =
mailbox_command_maps =
mailbox_delivery_lock = fcntl, dotlock
mailbox_size_limit = 157286400
mailbox_transport =
mailbox_transport_maps =
maildrop_delivery_slot_cost = $default_delivery_slot_cost
maildrop_delivery_slot_discount = $default_delivery_slot_discount
maildrop_delivery_slot_loan = $default_delivery_slot_loan
maildrop_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
maildrop_destination_concurrency_limit = $default_destination_concurrency_limit
maildrop_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
maildrop_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
maildrop_destination_rate_delay = $default_destination_rate_delay
maildrop_destination_recipient_limit = $default_destination_recipient_limit
maildrop_extra_recipient_limit = $default_extra_recipient_limit
maildrop_initial_destination_concurrency = $initial_destination_concurrency
maildrop_minimum_delivery_slots = $default_minimum_delivery_slots
maildrop_recipient_limit = $default_recipient_limit
maildrop_recipient_refill_delay = $default_recipient_refill_delay
maildrop_recipient_refill_limit = $default_recipient_refill_limit
maildrop_time_limit = $command_time_limit
mailman_delivery_slot_cost = $default_delivery_slot_cost
mailman_delivery_slot_discount = $default_delivery_slot_discount
mailman_delivery_slot_loan = $default_delivery_slot_loan
mailman_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
mailman_destination_concurrency_limit = $default_destination_concurrency_limit
mailman_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
mailman_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
mailman_destination_rate_delay = $default_destination_rate_delay
mailman_destination_recipient_limit = $default_destination_recipient_limit
mailman_extra_recipient_limit = $default_extra_recipient_limit
mailman_initial_destination_concurrency = $initial_destination_concurrency
mailman_minimum_delivery_slots = $default_minimum_delivery_slots
mailman_recipient_limit = $default_recipient_limit
mailman_recipient_refill_delay = $default_recipient_refill_delay
mailman_recipient_refill_limit = $default_recipient_refill_limit
mailman_time_limit = $command_time_limit
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
maps_rbl_reject_code = 554
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions =
master_service_disable =
max_idle = 100s
max_use = 100
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_reject_characters =
message_size_limit = 157286400
message_strip_characters =
milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} v
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_data_macros = i
milter_default_action = tempfail
milter_end_of_data_macros = i
milter_end_of_header_macros = i
milter_header_checks =
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
    {cert_issuer}
milter_macro_daemon_name = $myhostname
milter_macro_v = $mail_name $mail_version
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
    {mail_host} {mail_mailer}
milter_protocol = 6
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer}
milter_unknown_command_macros =
mime_boundary_length_limit = 2048
mime_header_checks = $header_checks
mime_nesting_limit = 100
minimal_backoff_time = 300s
multi_instance_directories =
multi_instance_enable = no
multi_instance_group =
multi_instance_name =
multi_instance_wrapper =
multi_recipient_bounce_reject_code = 550
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = mail.macae.rj.gov.br
myhostname = mail.macae.rj.gov.br
mynetworks = 127.0.0.1, 177.223.198.246
mynetworks_style = subnet
myorigin = MACAEMAIL01
nested_header_checks = $header_checks
newaliases_path = /usr/bin/newaliases
non_fqdn_reject_code = 504
non_smtpd_milters =
notify_classes = resource, software
owner_request_special = yes
parent_domain_matches_subdomains =
    debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
permit_mx_backup_networks =
pickup_service_name = pickup
plaintext_reject_code = 450
policyd-spf_time_limit = 3600
postmulti_control_commands = reload flush
postmulti_start_commands = start
postmulti_stop_commands = stop abort drain quick-stop
postscreen_access_list = permit_mynetworks,
    cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = no
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = enforce
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps =
    $smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.2*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_ttl = 1h
postscreen_dnsbl_whitelist_threshold = -2
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = no
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_upstream_proxy_protocol =
postscreen_upstream_proxy_timeout = 5s
postscreen_use_tls = $smtpd_use_tls
postscreen_watchdog_timeout = 10s
postscreen_whitelist_interfaces = static:all
prepend_delivered_header = command, file, forward
process_id = 2844
process_id_directory = pid
process_name = postconf
propagate_unmatched_extensions = canonical, virtual
proxy_interfaces =
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps
    $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps
    $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps
    $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps
    $transport_maps $virtual_alias_domains $virtual_alias_maps
    $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
    $sender_dependent_relayhost_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
    $address_verify_map $postscreen_cache_map
proxymap_service_name = proxymap
proxywrite_service_name = proxywrite
qmgr_clog_warn_time = 300s
qmgr_daemon_timeout = 1000s
qmgr_fudge_factor = 100
qmgr_ipc_timeout = 60s
qmgr_message_active_limit = 20000
qmgr_message_recipient_limit = 20000
qmgr_message_recipient_minimum = 10
qmqpd_authorized_clients =
qmqpd_client_port_logging = no
qmqpd_error_delay = 1s
qmqpd_timeout = 300s
queue_directory = /var/spool/postfix
queue_file_attribute_count_limit = 100
queue_minfree = 0
queue_run_delay = 300s
queue_service_name = qmgr
rbl_reply_maps =
readme_directory = /usr/share/doc/postfix
receive_override_options =
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_canonical_classes = envelope_recipient, header_recipient
recipient_canonical_maps =
recipient_delimiter = +
reject_code = 554
reject_tempfail_action = defer_if_permit
relay_clientcerts =
relay_delivery_slot_cost = $default_delivery_slot_cost
relay_delivery_slot_discount = $default_delivery_slot_discount
relay_delivery_slot_loan = $default_delivery_slot_loan
relay_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
relay_destination_concurrency_limit = $default_destination_concurrency_limit
relay_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
relay_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
relay_destination_rate_delay = $default_destination_rate_delay
relay_destination_recipient_limit = $default_destination_recipient_limit
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relay_domains_reject_code = 554
relay_extra_recipient_limit = $default_extra_recipient_limit
relay_initial_destination_concurrency = $initial_destination_concurrency
relay_minimum_delivery_slots = $default_minimum_delivery_slots
relay_recipient_limit = $default_recipient_limit
relay_recipient_maps =
relay_recipient_refill_delay = $default_recipient_refill_delay
relay_recipient_refill_limit = $default_recipient_refill_limit
relay_transport = relay
relayhost =
relocated_maps =
remote_header_rewrite_domain =
require_home_directory = no
reset_owner_alias = no
resolve_dequoted_address = yes
resolve_null_domain = no
resolve_numeric_domain = no
retry_delivery_slot_cost = $default_delivery_slot_cost
retry_delivery_slot_discount = $default_delivery_slot_discount
retry_delivery_slot_loan = $default_delivery_slot_loan
retry_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
retry_destination_concurrency_limit = $default_destination_concurrency_limit
retry_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
retry_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
retry_destination_rate_delay = $default_destination_rate_delay
retry_destination_recipient_limit = $default_destination_recipient_limit
retry_extra_recipient_limit = $default_extra_recipient_limit
retry_initial_destination_concurrency = $initial_destination_concurrency
retry_minimum_delivery_slots = $default_minimum_delivery_slots
retry_recipient_limit = $default_recipient_limit
retry_recipient_refill_delay = $default_recipient_refill_delay
retry_recipient_refill_limit = $default_recipient_refill_limit
rewrite_service_name = rewrite
sample_directory = /usr/share/doc/postfix/examples
scalemail-backend_delivery_slot_cost = $default_delivery_slot_cost
scalemail-backend_delivery_slot_discount = $default_delivery_slot_discount
scalemail-backend_delivery_slot_loan = $default_delivery_slot_loan
scalemail-backend_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
scalemail-backend_destination_concurrency_limit =
    $default_destination_concurrency_limit
scalemail-backend_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
scalemail-backend_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
scalemail-backend_destination_rate_delay = $default_destination_rate_delay
scalemail-backend_destination_recipient_limit =
    $default_destination_recipient_limit
scalemail-backend_extra_recipient_limit = $default_extra_recipient_limit
scalemail-backend_initial_destination_concurrency =
    $initial_destination_concurrency
scalemail-backend_minimum_delivery_slots = $default_minimum_delivery_slots
scalemail-backend_recipient_limit = $default_recipient_limit
scalemail-backend_recipient_refill_delay = $default_recipient_refill_delay
scalemail-backend_recipient_refill_limit = $default_recipient_refill_limit
scalemail-backend_time_limit = $command_time_limit
send_cyrus_sasl_authzid = no
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps =
sender_dependent_default_transport_maps =
sender_dependent_relayhost_maps =
    proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_fix_line_endings = always
sendmail_path = /usr/sbin/sendmail
service_throttle_time = 60s
setgid_group = postdrop
show_user_unknown_table_name = yes
showq_service_name = showq
smtp-amavis_delivery_slot_cost = $default_delivery_slot_cost
smtp-amavis_delivery_slot_discount = $default_delivery_slot_discount
smtp-amavis_delivery_slot_loan = $default_delivery_slot_loan
smtp-amavis_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
smtp-amavis_destination_concurrency_limit =
    $default_destination_concurrency_limit
smtp-amavis_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
smtp-amavis_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
smtp-amavis_destination_rate_delay = $default_destination_rate_delay
smtp-amavis_destination_recipient_limit = 1
smtp-amavis_extra_recipient_limit = $default_extra_recipient_limit
smtp-amavis_initial_destination_concurrency = $initial_destination_concurrency
smtp-amavis_minimum_delivery_slots = $default_minimum_delivery_slots
smtp-amavis_recipient_limit = $default_recipient_limit
smtp-amavis_recipient_refill_delay = $default_recipient_refill_delay
smtp-amavis_recipient_refill_limit = $default_recipient_refill_limit
smtp_address_preference = any
smtp_always_send_ehlo = yes
smtp_bind_address =
smtp_bind_address6 =
smtp_body_checks =
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_count_limit = 0
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_delivery_slot_cost = $default_delivery_slot_cost
smtp_delivery_slot_discount = $default_delivery_slot_discount
smtp_delivery_slot_loan = $default_delivery_slot_loan
smtp_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
smtp_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_dns_resolver_options =
smtp_dns_support_level =
smtp_enforce_tls = no
smtp_extra_recipient_limit = $default_extra_recipient_limit
smtp_fallback_relay = $fallback_relay
smtp_generic_maps =
smtp_header_checks =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination_concurrency
smtp_line_length_limit = 998
smtp_mail_timeout = 300s
smtp_mime_header_checks =
smtp_minimum_delivery_slots = $default_minimum_delivery_slots
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_nested_header_checks =
smtp_never_send_ehlo = no
smtp_per_record_deadline = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_maps =
smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_recipient_limit = $default_recipient_limit
smtp_recipient_refill_delay = $default_recipient_refill_delay
smtp_recipient_refill_limit = $default_recipient_refill_limit
smtp_reply_filter =
smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_dummy_mail_auth = no
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_CApath =
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file =
smtp_tls_ciphers = export
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_eccert_file =
smtp_tls_eckey_file = $smtp_tls_eccert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_force_insecure_host_tlsa_lookup = no
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_trust_anchor_file =
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions =
    ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_port_logging = no
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
smtpd_command_filter =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_open_until_valid_rcpt = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter =
    \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = ${stress?1}${stress:20}
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
    reject_non_fqdn_helo_hostname reject_invalid_helo_hostname check_helo_access
    pcre:/etc/postfix/helo_access.pcre
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = ${stress?1}${stress:100}
smtpd_log_access_permit_actions =
smtpd_milters =
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes
smtpd_per_record_deadline = ${stress?yes}${stress:no}
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_options =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = reject_unknown_recipient_domain
    reject_non_fqdn_recipient reject_unlisted_recipient check_client_access
    hash:/etc/postfix/rbl_blacklist check_policy_service inet:127.0.0.1:7777
    permit_mynetworks permit_sasl_authenticated reject_unauth_destination
    check_policy_service unix:private/policyd-spf reject_rbl_client
    zen.spamhaus.org=127.0.0.[2..11]
smtpd_reject_footer =
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
    defer_unauth_destination reject_unauth_destination
smtpd_restriction_classes =
smtpd_sasl_auth_enable = no
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtp
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender
    reject_unlisted_sender permit_mynetworks permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre
smtpd_service_name = smtpd
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = ${stress?10}${stress:300}s
smtpd_timeout = ${stress?10}${stress:300}s
smtpd_tls_CAfile = /etc/ssl/webmail/server.crt
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/ssl/webmail/server.crt
smtpd_tls_ciphers = export
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eccert_file =
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
    EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /etc/ssl/webmail/server.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_upstream_proxy_protocol =
smtpd_upstream_proxy_timeout = 5s
smtpd_use_tls = no
soft_bounce = no
stale_lock_time = 500s
stress =
strict_7bit_headers = no
strict_8bitmime = no
strict_8bitmime_body = no
strict_mailbox_ownership = yes
strict_mime_encoding_domain = no
strict_rfc821_envelopes = no
sun_mailtool_compatibility = no
swap_bangpath = no
syslog_facility = mail
syslog_name =
    ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name}
tcp_windowsize = 0
tls_append_default_CA = no
tls_daemon_random_bytes = 32
tls_dane_digest_agility = on
tls_dane_digests = sha512 sha256
tls_dane_trust_anchor_digest_enable = yes
tls_disable_workarounds =
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_legacy_public_key_fingerprints = no
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL
tls_preempt_cipherlist = no
tls_random_bytes = 32
tls_random_exchange_name = ${data_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
tls_ssl_options =
tls_wildcard_matches_multiple_labels = yes
tlsmgr_service_name = tlsmgr
tlsproxy_enforce_tls = $smtpd_enforce_tls
tlsproxy_service_name = tlsproxy
tlsproxy_tls_CAfile = $smtpd_tls_CAfile
tlsproxy_tls_CApath = $smtpd_tls_CApath
tlsproxy_tls_always_issue_session_ids = $smtpd_tls_always_issue_session_ids
tlsproxy_tls_ask_ccert = $smtpd_tls_ask_ccert
tlsproxy_tls_ccert_verifydepth = $smtpd_tls_ccert_verifydepth
tlsproxy_tls_cert_file = $smtpd_tls_cert_file
tlsproxy_tls_ciphers = $smtpd_tls_ciphers
tlsproxy_tls_dcert_file = $smtpd_tls_dcert_file
tlsproxy_tls_dh1024_param_file = $smtpd_tls_dh1024_param_file
tlsproxy_tls_dh512_param_file = $smtpd_tls_dh512_param_file
tlsproxy_tls_dkey_file = $smtpd_tls_dkey_file
tlsproxy_tls_eccert_file = $smtpd_tls_eccert_file
tlsproxy_tls_eckey_file = $smtpd_tls_eckey_file
tlsproxy_tls_eecdh_grade = $smtpd_tls_eecdh_grade
tlsproxy_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
tlsproxy_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
tlsproxy_tls_key_file = $smtpd_tls_key_file
tlsproxy_tls_loglevel = $smtpd_tls_loglevel
tlsproxy_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_req_ccert = $smtpd_tls_req_ccert
tlsproxy_tls_security_level = $smtpd_tls_security_level
tlsproxy_use_tls = $smtpd_use_tls
tlsproxy_watchdog_timeout = 10s
trace_service_name = trace
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
transport_retry_time = 60s
trigger_timeout = 10s
undisclosed_recipients_header =
unknown_address_reject_code = 450
unknown_address_tempfail_action = $reject_tempfail_action
unknown_client_reject_code = 450
unknown_helo_hostname_tempfail_action = $reject_tempfail_action
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_defer_code = 450
unverified_recipient_reject_code = 450
unverified_recipient_reject_reason =
unverified_recipient_tempfail_action = $reject_tempfail_action
unverified_sender_defer_code = 450
unverified_sender_reject_code = 450
unverified_sender_reject_reason =
unverified_sender_tempfail_action = $reject_tempfail_action
uucp_delivery_slot_cost = $default_delivery_slot_cost
uucp_delivery_slot_discount = $default_delivery_slot_discount
uucp_delivery_slot_loan = $default_delivery_slot_loan
uucp_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
uucp_destination_concurrency_limit = $default_destination_concurrency_limit
uucp_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
uucp_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
uucp_destination_rate_delay = $default_destination_rate_delay
uucp_destination_recipient_limit = $default_destination_recipient_limit
uucp_extra_recipient_limit = $default_extra_recipient_limit
uucp_initial_destination_concurrency = $initial_destination_concurrency
uucp_minimum_delivery_slots = $default_minimum_delivery_slots
uucp_recipient_limit = $default_recipient_limit
uucp_recipient_refill_delay = $default_recipient_refill_delay
uucp_recipient_refill_limit = $default_recipient_refill_limit
uucp_time_limit = $command_time_limit
verp_delimiter_filter = -=+
virtual_alias_domains =
virtual_alias_expansion_limit = 1000
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_alias_recursion_limit = 1000
virtual_delivery_slot_cost = $default_delivery_slot_cost
virtual_delivery_slot_discount = $default_delivery_slot_discount
virtual_delivery_slot_loan = $default_delivery_slot_loan
virtual_destination_concurrency_failed_cohort_limit =
    $default_destination_concurrency_failed_cohort_limit
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
virtual_destination_concurrency_negative_feedback =
    $default_destination_concurrency_negative_feedback
virtual_destination_concurrency_positive_feedback =
    $default_destination_concurrency_positive_feedback
virtual_destination_rate_delay = $default_destination_rate_delay
virtual_destination_recipient_limit = $default_destination_recipient_limit
virtual_extra_recipient_limit = $default_extra_recipient_limit
virtual_gid_maps = static:2000
virtual_initial_destination_concurrency = $initial_destination_concurrency
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_lock = fcntl, dotlock
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_delivery_slots = $default_minimum_delivery_slots
virtual_minimum_uid = 2000
virtual_recipient_limit = $default_recipient_limit
virtual_recipient_refill_delay = $default_recipient_refill_delay
virtual_recipient_refill_limit = $default_recipient_refill_limit
virtual_transport = dovecot
virtual_uid_maps = static:2000

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Mail sending span like open relay.

1) check maillog file. Se who is posting the e-mails ( client IP address, login ID )
2) make sure Your server is not an open relay 
     visit https://mxtoolbox.com/diagnostic.aspx, and fill in the fqdn or ip address to your mail host

3

Re: Mail sending span like open relay.

when testing remotely, Your mailserver is NOT an open relay, but listed in one spam blacklist (SORBS SPAM).
So this means some internal machine is sending all spam via your iRedmail server. You need to check the /var/log/maillog for connecting internal senders.

4

Re: Mail sending span like open relay.

swejun wrote:

1) check maillog file. Se who is posting the e-mails ( client IP address, login ID )

My mail log (tail log) :
i remove the date and change server name.
My domain is: @macae.rj.gov.br

EMAIL postfix/cleanup[26356]: 2F00148A00F1: message-id=<FC064F60F0240B78A4A1E85713CFF88F@macae.rj.gov.br>
EMAIL postfix/qmgr[488]: 2F00148A00F1: from=<moacirneto@macae.rj.gov.br>, size=1713, nrcpt=1 (queue active)
EMAIL postfix/smtpd[19903]: 602B148A011B: client=localhost[127.0.0.1]
EMAIL postfix/cleanup[26357]: 602B148A011B: message-id=<42B8F1D9598DA2D10D0841FEBA35F21B@macae.rj.gov.br>
EMAIL postfix/qmgr[488]: 602B148A011B: from=<moacirneto@macae.rj.gov.br>, size=2267, nrcpt=1 (queue active)

EMAIL amavis[28274]: (28274-07) Passed CLEAN {RelayedInbound}, [184.3.163.48]:47453 [184.3.163.48] <moacirneto@macae.rj.gov.br> -> <sue.divall@wardgoodman.co.uk>, Queue-ID: B321048A011D, Message-ID: <42B8F1D9598DA2D10D0841FEBA35F21B@macae.rj.gov.br>, mail_id: I469z0wsiW80, Hits: -0.997, size: 1775, queued_as: 602B148A011B, 2306 ms, Tests: [ALL_TRUSTED=-1,TVD_RCVD_IP4=0.001,TVD_RCVD_IP=0.001,URIBL_BLOCKED=0.001]

EMAIL postfix/smtp[28425]: B321048A011D: to=<sue.divall@wardgoodman.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=11/0.45/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 602B148A011B)

EMAIL postfix/qmgr[488]: B321048A011D: removed
EMAIL postfix/cleanup[27341]: 9007148A011F: message-id=<6E94DDF58357780BD7D29B24603A3E16@macae.rj.gov.br>
EMAIL postfix/qmgr[488]: 9007148A011F: from=<gilvanalmeida@macae.rj.gov.br>, size=1756, nrcpt=1 (queue active)

EMAIL amavis[29358]: (29358-07) Passed CLEAN {RelayedInbound}, [184.3.203.210]:33727 [184.3.203.210] <fernandanunes@macae.rj.gov.br> -> <marketing@thermalceramics.co.uk>, Queue-ID: B111848A010E, Message-ID: <DF256C510ADEF1825E5B12ADE9957155@macae.rj.gov.br>, mail_id: uyLFfikZvx7B, Hits: -0.999, size: 1710, queued_as: 7D30748A0127, 2796 ms, Tests: [ALL_TRUSTED=-1,URIBL_BLOCKED=0.001]

EMAIL postfix/smtp[29441]: B111848A010E: to=<marketing@thermalceramics.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=7, delays=4.1/0.01/0/2.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7D30748A0127)

EMAIL postfix/qmgr[488]: B111848A010E: removed
EMAIL postfix/qmgr[488]: D40F048A011E: from=<>, size=62612, nrcpt=1 (queue active)
EMAIL postfix/smtpd[28497]: disconnect from mail-cwlgbr01hn0246.outbound.protection.outlook.com[104.47.20.246]

swejun wrote:


2) make sure Your server is not an open relay 
     visit https://mxtoolbox.com/diagnostic.aspx, and fill in the fqdn or ip address to your mail host

Server IP: 177.223.198.246

swejun wrote:


    Test     Result
    SMTP Reverse DNS Mismatch     OK - 177.223.198.246 resolves to mail.macae.rj.gov.br
    SMTP Valid Hostname     OK - Reverse DNS is a valid Hostname
    SMTP Banner Check     OK - Reverse DNS matches SMTP Banner
    SMTP TLS     OK - Supports TLS.
    SMTP Connection Time     0.925 seconds - Good on Connection time
    SMTP Open Relay     OK - Not an open relay.
    SMTP Transaction Time     3.377 seconds - Good on Transaction Time

Open Relay is closed. But he server actin like a open relay.
I check PhP scripts running and didint found anything.

5

Re: Mail sending span like open relay.

So you have the following configured:

mydomain = mail.macae.rj.gov.br
myhostname = mail.macae.rj.gov.br
mynetworks = 127.0.0.1, 177.223.198.246
mynetworks_style = subnet

This means that all servers on the same subnet as "177.223.198.246" are allowed to relay without login.
This is your externally accessible IP address for the server, and the MX pointer for your mail domain as well.

6 (edited by filipe.mota 2018-02-17 00:42:28)

Re: Mail sending span like open relay.

Thanks for Help Swejun, and your very fast reply smile

swejun wrote:

So you have the following configured:

mydomain = mail.macae.rj.gov.br
myhostname = mail.macae.rj.gov.br
mynetworks = 127.0.0.1, 177.223.198.246
mynetworks_style = subnet

This means that all servers on the same subnet as "177.223.198.246" are allowed to relay without login.
This is your externally accessible IP address for the server, and the MX pointer for your mail domain as well.

My confs are correct, i think.

But and can understant why my server are send alot of spam.
Anyway, its possible any virus mail client (like Outlook and Thunderbir) inner of my intranet (subnets) sending this spam?
sending by pop or imap;
If yes, how can i can close acess to all clients?
After this stop, maybe i can allow for some user.

7

Re: Mail sending span like open relay.

Sending e-mail from an internal registered user, should use the submision (port 587), i.e. a user sending email MUST be authenticated.
If you check your maillog, you can see a complete sending sequence as follows, including the name of the user logged in and sending: ( see below)
To completely disable the submision port 587, just block it in iptables / firewalld. Remove the service "submission" or port "587"
I have the following allowed services on my iredmail server:    services: http submission pop3s smtp imaps pop3 ssh https imap


In the logfile below, you can first see the ip address of the connecting client (using ipv6 in my case)
On the third line, you can se the user name of the connecting client.
On the fifth line, the qmgr gets the e-mail, do figure out where to deliver etc.

---
Feb 19 09:19:38 mail2 postfix/submission/smtpd[22119]: connect from unknown[2a02:xxxx:1f:150:20c2:f6f3:55f3:88fc]
Feb 19 09:19:38 mail2 postfix/submission/smtpd[22119]: Anonymous TLS connection established from unknown[2a02:xxxx:1f:150:20c2:f6f3:55f3:88fc]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 19 09:19:39 mail2 postfix/submission/smtpd[22119]: 06C776F6F1: client=unknown[2a02:xxx:1f:150:20c2:f6f3:55f3:88fc], sasl_method=PLAIN, sasl_username=first.last@mydomain.com
Feb 19 09:19:39 mail2 postfix/cleanup[22123]: 06C776F6F1: message-id=<2DD62D2B-ABD6-42FE-9591-070D0D0C72FF@mydomain.com>
Feb 19 09:19:39 mail2 postfix/qmgr[32630]: 06C776F6F1: from=<first.last@mydmain.com>, size=2788, nrcpt=1 (queue active)
Feb 19 09:19:39 mail2 postfix/10025/smtpd[22127]: connect from mail2.mydomain.com[127.0.0.1]
Feb 19 09:19:39 mail2 postfix/10025/smtpd[22127]: 815B96D3F8: client=mail2.mydomain.com[127.0.0.1]
Feb 19 09:19:39 mail2 postfix/cleanup[22123]: 815B96D3F8: message-id=<2DD62D2B-ABD6-42FE-9591-070D0D0C72FF@zebware.com>
Feb 19 09:19:39 mail2 postfix/10025/smtpd[22127]: disconnect from mail2.mydomain.com[127.0.0.1]
Feb 19 09:19:39 mail2 postfix/qmgr[32630]: 815B96D3F8: from=<first.last@mydomain.com>, size=3856, nrcpt=1 (queue active)
Feb 19 09:19:39 mail2 amavis[29829]: (29829-02) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [2a02:xxxx:1f:150:20c2:f6f3:55f3:88fc]:51342 [2a02:xxx:1f:150:20c2:f6f3:55f3:88fc] <first.last@mydomain.com> -> <mailaddress@anotherdomain.com>, Queue-ID: 06C776F6F1, Message-ID: <2DD62D2B-ABD6-42FE-9591-070D0D0C72FF@mydomain.com>, mail_id: o_Bmj4tQPiGv, Hits: -0.999, size: 2788, queued_as: 815B96D3F8, dkim_new=dkim:mydomain.com, 481 ms, Tests: [ALL_TRUSTED=-1,HTML_MESSAGE=0.001]
Feb 19 09:19:39 mail2 postfix/amavis/smtp[22124]: 06C776F6F1: to=<ingvmailaddress@janotherdomain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.8, delays=0.3/0.01/0/0.49, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 815B96D3F8)
Feb 19 09:19:39 mail2 postfix/qmgr[32630]: 06C776F6F1: removed
Feb 19 09:19:44 mail2 postfix/smtp[22128]: Untrusted TLS connection established to smtp.anotherdomain.com[2a01:xxx:3012:1::1009]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 19 09:19:45 mail2 postfix/smtp[22128]: 815B96D3F8: to=<ingvar@jungenas.com>, relay=smtp.anotherdomain.com[2a01:xxxx:3012:1::1009]:25, delay=5.7, delays=0.01/0.03/5.1/0.53, dsn=2.0.0, status=sent (250 2.0.0 w1J8JiQk026902 Message accepted for delivery)
Feb 19 09:19:45 mail2 postfix/qmgr[32630]: 815B96D3F8: removed
(END

8

Re: Mail sending span like open relay.

Also check your /opt/iredapd/settings.py
The MYNETWORKS = i.p.a.dress 
tells which networks are allowed to relay without login

Be sure to use the plugin ""reject_sender_login_mismatch", which disallows send e-mail with FROM: not eq. LoginUser
See https://docs.iredmail.org/manage.iredapd.html for details

9

Re: Mail sending span like open relay.

and ....
Check your /etc/postfix/master,cf.
The submission control I use is as below. The client_restrictions says: Allow authenticated users, reject the rest

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

10

Re: Mail sending span like open relay.

Thanks for help Swejun smile
You are great!

I set an rule to drop por 587.

To completely disable the submision port 587, just block it in iptables / firewalld. Remove the service "submission" or port "587"

And my master.cf have this same configuration.

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

This Plugin are not on my IredPad list, then i set.

Be sure to use the plugin ""reject_sender_login_mismatch", which disallows send e-mail with FROM: not eq. LoginUser

Now i will observe the log and put the feedback later.

I am preparing a new mail server, in case this problem is not solved, I will just migrate.

11

Re: Mail sending span like open relay.

Still sending mail to other domains.
I dont have ideia how to stop to sending spam form my server.

12

Re: Mail sending span like open relay.

So.....
- 587 is blocked in firewall (no thunderbird clients can connect to send e-mail)
- It is NOT an open relay (checkable with mx tool),
Then the next possible option is someone posting e-mail via Rouncube webgui, SOGo Webgui or Active sync from Iphone/Android/Outlook.

Mail sending outbound can be checked from the /var/log/maillog., /var/log/sogo/access.log, /var/log/nginx/access.log
Se some examples when I send via android active sync, Roundcube and SOGo. Maybe you can find out how the e-mails are entered into Your mailserver.

Blocking port 80/443 will effectively stop any webb related access of course.
========
Sending mail from android

/var/log/nginx/acces.log
10.5.0.25 - firstname@domain.com [20/Feb/2018:15:24:18 +0100] "POST /Microsoft-Server-ActiveSync?Cmd=Search&User=firstname%40domain.com&DeviceId=androidc1307340656&DeviceType=SonyE5823 HTTP/1.1" 200 632 "-" "SonyE5823/7.1.1-EAS-2.0"

/var/log/maillog
Feb 20 14:27:00 mail2 postfix/pipe[1670]: 08A596D3F8: to=<someone@domain.com>, relay=dovecot, delay=0.13, delays=0.05/0.02/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service)
Feb 20 15:07:17 mail2 amavis[11572]: (11572-13) Passed CLEAN {RelayedInternal}, MYNETS LOCAL [10.4.0.10]:58552 [192.28.149.9] <074-uqx-410.0.61394.0.0.19180.9.12256819@email.duo.com> -> <firstname@domain.com MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A80A36F6F1)
Feb 20 15:07:17 mail2 postfix/pipe[5065]: A80A36F6F1: to=<someone@domain.com>, relay=dovecot, delay=0.11, delays=0.05/0.01/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service)



Sending mail from Chrome in mac using Roundcube
/var/log/nginx/acces.log
10.150.7.2 - - [20/Feb/2018:15:29:41 +0100] "POST /mail/?_task=mail&_action=autocomplete HTTP/1.1" 200 1404 "https://mail2.domain.com/mail/?_task=ma … c30cf3e435" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"

/var/log/maillog
Feb 20 15:30:01 mail2 postfix/submission/smtpd[7199]: 899A86F6F1: client=mail2.domain.com[127.0.0.1], sasl_method=LOGIN, sasl_username=firstname@domain.com
Feb 20 15:30:01 mail2 postfix/qmgr[8562]: 899A86F6F1: from=<firstname@domain.com>, size=602, nrcpt=1 (queue active)
Feb 20 15:30:01 mail2 roundcube: <a1qq5kkn> User firstname@domain.com [10.150.7.2]; Message for someone@domain.com; 250: 2.0.0 Ok: queued as 899A86F6F1
Feb 20 15:30:02 mail2 postfix/qmgr[8562]: 793FC6D3F8: from=<firtname@domain.com>, size=1701, nrcpt=1 (queue active)
Feb 20 15:30:02 mail2 amavis[11572]: (11572-14) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:58084 <firstname@domain.com> -> <someone@domain.com>, Queue-ID: 899A86F6F1, Message-ID: <37535bcf9a80185ab7aa1a35a555832e@domain.com>, mail_id: 8L_rccxb4bcA, Hits: 0.203, size: 602, queued_as: 793FC6D3F8, dkim_new=dkim:domain.com, 682 ms, Tests: [ALL_TRUSTED=-1,TVD_RCVD_SINGLE=1.213,T_RP_MATCHES_RCVD=-0.01]
Feb 20 15:30:02 mail2 postfix/amavis/smtp[7208]: 899A86F6F1: to=<someone@domain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.4, delays=0.7/0.05/0/0.69, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 793FC6D3F8)


Sending from SOGo webui

sogo log
Feb 20 15:39:05 sogod [7982]: 10.150.7.2 "GET /SOGo/so/firstname@domain.com/Mail/UIxMailEditor HTTP/1.0" 200 2671/0 0.018 12610 78% 68K
Feb 20 15:39:06 sogod [7950]: 10.150.7.2 "GET /SOGo/so/firstname@domain.com/Mail/0/compose HTTP/1.0" 201 78/0 0.220 - - 36K

The same event in nginx log
10.150.7.2 - - [20/Feb/2018:15:39:05 +0100] "GET /SOGo/so/firstname@domain.com/Mail/UIxMailEditor HTTP/1.1" 200 2671 "https://mail2.domain.com/SOGo/so/firstn … /Mail/view" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
10.150.7.2 - - [20/Feb/2018:15:39:06 +0100] "GET /SOGo/so/firstname@domain.com/Mail/0/compose HTTP/1.1" 201 78 "https://mail2.domain.com/SOGo/so/firstn … /Mail/view" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"

in maillog, you can see the mail being placed on the qmgr, then passed to amavis and and delivered to external mailserver
========

13

Re: Mail sending span like open relay.

It's possible that some account password was cracked and used to send spams.

Download this script (shipped in iRedMail) and run it, it will show you which account performed a lot smtp authentications, it's very possible that the top smtp usernames were cracked:
https://bitbucket.org/zhb/iredmail/raw/ … ernames.sh

bash find_top_sasl_usernames.sh

14

Re: Mail sending span like open relay.

Hi Zhang,
I change all passwords accounts and spans are sending.
I create a new server and migrate the accounts.

ZhangHuangbin wrote:

It's possible that some account password was cracked and used to send spams.

Download this script (shipped in iRedMail) and run it, it will show you which account performed a lot smtp authentications, it's very possible that the top smtp usernames were cracked:
https://bitbucket.org/zhb/iredmail/raw/ … ernames.sh

bash find_top_sasl_usernames.sh

15

Re: Mail sending span like open relay.

Did you find any suspect accounts with the script "find_top_sasl_usernames.sh"?

16

Re: Mail sending span like open relay.

I found alot of account and change his passwords.
And the sending spam mails are going th

ZhangHuangbin wrote:

Did you find any suspect accounts with the script "find_top_sasl_usernames.sh"?

I solved the problem by upgrading the entire server. creating a new one and migrating every email.
I would like to thank for the work done in the email, the migration was done without problems.

The mail server is now in a DMZ, protected by firewall, now the attacks have stopped.