I have a postfix setup and it appears to be accepting emails for other recepients and forwarding them to an existing legitimate email.
For example, we receive a spam email for [email protected], and postfix seems to be delivering it to [email protected].
Here is a header of one of the emails to show what I mean.
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.foo.org.uk
by mail.foo.org.uk with LMTP
id 7MXENd9eMmZTHAUAe7yBEg
(envelope-from <[email protected]>)
for <[email protected]>; Wed, 01 May 2024 15:25:19 +0000
Received: by mail.foo.org.uk (Postfix, from userid 1000)
id CBFA0FC055; Wed, 1 May 2024 15:25:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
mail.foo.org.uk
X-Spam-Level: *
X-Spam-Status: No, score=1.3 required=5.0 tests=HTML_IMAGE_ONLY_16,
HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,
RCVD_IN_ZEN_BLOCKED_OPENDNS,SPF_HELO_NONE,SPF_PASS,T_TVD_MIME_EPI,
URIBL_BLOCKED,URIBL_DBL_BLOCKED_OPENDNS,URIBL_ZEN_BLOCKED_OPENDNS
autolearn=no autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=178.162.136.136; helo=xn-- e1aub.007.xn--p1acf; [email protected]; receiver=<UNKNOWN>
Received: from xn--e1aub.007.xn--p1acf (xn--e1aub.007.xn--p1acf [178.162.136.136])
by mail.foo.org.uk (Postfix) with ESMTP id C6C74FC055
for <[email protected]>; Wed, 1 May 2024 15:25:18 +0000 (UTC)
Received: from baz.nl (rirosh.lat [91.215.169.195])
by xn--e1aub.007.xn--p1acf (Postfix) with ESMTPA id 905453663;
Wed, 1 May 2024 18:25:12 +0300 (EEST)
Message-ID: <[email protected]>
From: "Keto Gummies" <[email protected]>
To: <[email protected]>
Subject: People's Keto Gummies - powerful New Formula triggers Fat-Burning ketosis!
Date: Wed, 01 May 2024 18:25:16 +0300
MIME-Version: 1.0
As you can see, it is addressed to [email protected], but being delivered to [email protected]
I believe all the emails we're receiving are going to [email protected]
As for the setup, the server was set up a few years ago by someone else and utilises Postfix, Dovecot, SpamAssassin and MySQL for virtual mailboxes/domains.
The output of postconf -n is
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 3.6
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = mail.foo.org.uk
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12301
rbl_reply_maps = hash:$config_directory/dnsbl-reply-map
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_milters = inet:localhost:12301
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, check_policy_service unix:private/policy-spf, reject_rbl_client .zen.dq.spamhaus.net=127.0.0.[2..11] reject_rhsbl_sender .dbl.dq.spamhaus.net=127.0.1.[2..99] reject_rhsbl_helo .dbl.dq.spamhaus.net=127.0.1.[2..99] reject_rhsbl_reverse_client .dbl.dq.spamhaus.net=127.0.1.[2..99] reject_rhsbl_sender .zrd.dq.spamhaus.net=127.0.2.[2..24] reject_rhsbl_helo .zrd.dq.spamhaus.net=127.0.2.[2..24] reject_rhsbl_reverse_client .zrd.dq.spamhaus.net=127.0.2.[2..24] permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:private/policy-spf, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.foo.org.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.foo.org.uk/privkey.pem
smtpd_tls_security_level = may
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
