Illegal emails from my domain
I need help with this. Somebody is using my instalation to send emails from my domain.
My installation use Postfix, Dovecot as explained here:
Using ufw the ports are currently closed:
sudo ufw status
25/tcp DENY Anywhere
465 (v6) DENY Anywhere (v6)
587 (v6) DENY Anywhere (v6)
465 DENY Anywhere
587 DENY Anywhere
However I got this in mail.log (hostname/domain/email replaced because privacy):
Dec 3 00:31:20 myhostname postfix/qmgr: 697F25F42D: removed
Dec 3 02:57:23 myhostname postfix/pickup: 8A96B5F42D: uid=33 from=<www-data>
Dec 3 02:57:23 myhostname postfix/cleanup: 8A96B5F42D: email@example.com
Dec 3 02:57:23 myhostname postfix/qmgr: 8A96B5F42D: firstname.lastname@example.org, size=1963, nrcpt=1 (queue active)
Dec 3 02:57:23 myhostname postfix/smtp: 8A96B5F42D: email@example.com, relay=gmail-smtp-in.l.google.com[2607:f8b0:4003:c05::1b]:25, delay=0.41, delays=0.0
2/0.01/0.13/0.24, dsn=2.0.0, status=sent (250 2.0.0 OK 1543820243 r19si5190421otq.226 - gsmtp)
Dec 3 02:57:23 myhostname postfix/qmgr: 8A96B5F42D: removed</www-data>
I got the email (spam/phishing).
How is this happening? How can I avoid this? Any help will be apreciated.
I'm sorry to hear you're experiencing this issue. There could be a few possibilities for this. First I would recommend taking a look at this Community Site post for information on how to address a potentially compromised Linode as well as links to preventing future compromises. It sounds like what you may be experiencing is someone gaining access to the Linode for the purposes of sending spam and that post might provide some additional information for clearing that up.
I would also highly recommend taking a look at the following guide on running a mail server and on Spam and Virus protection for specific recommendations on preventing what you are seeing.
I hope this helps!