(Slightly) open relay

I don't use Postfix, but you might check to see where the messages say they're from. It might be accepting and forwarding mail that looks like it's from a user@my.domain.tld and is to other@somedomain.org

@stocksy:

I've been trying to set postfix up to act as a backup mail server. I tested it using the tools at ordb.org, and it reported that it does not appear to be an open relay. When I checked the logs, however, I found a couple of lines like this:

Feb 28 18:33:38 mail2 postfix/smtp[21592]: 03FA457EED: to=<xxx@yyy.gov.tw>, relay=smssmtp93.yyy.gov.tw[xxx.29.159.xx], delay=15, status=sent (250 M2006030102441004449 Message accepted for delivery)
Mar  1 13:05:21 mail2 postfix/smtp[2707]: 2B26557EE4: to=<xxx@yyy.com>, relay=mail.yyy.com[xxx.114.216.xxx], delay=147106, status=sent (250 2.0.0 k21D5aMO014409 Message accepted for delivery)</xxx@yyy.com></xxx@yyy.gov.tw> 

Those are two different outgoing messages. How about posting the full transaction, incoming and outgoing?

I'm not a postfix expert, but it looks like you're accepting email from anybody who claims to be from your my.domain.tld with no verification that they're coming from a trusted host. I have

mynetworks = 192.168.0.0/16,127.0.0.0/8
smtpd_recipient_restrictions =
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unauth_pipelining,
      permit_mynetworks,
      reject_unauth_destination,
      reject_rbl_client sbl-xbl.spamhaus.org,
      reject_rbl_client relays.ordb.org,
      reject_rbl_client list.dsbl.org,
      reject_rbl_client korea.services.net,
      permit

Thanks for your replies. ptomblin, you were right in saying that I needed to examine the whole transaction.

Mar 10 06:45:09 mail2 postfix/smtpd[27979]: connect from unknown[xxx.xxx.202.132]
Mar 10 06:45:10 mail2 postfix/smtpd[27979]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead
Mar 10 06:45:10 mail2 postfix/smtpd[27979]: warning: restriction `reject_unauth_destination' after `check_relay_domains' is ignored
Mar 10 06:45:10 mail2 postfix/smtpd[27979]: E3BF157EA1: client=unknown[xxx.xxx.202.132]
Mar 10 06:45:11 mail2 postfix/cleanup[27983]: E3BF157EA1: message-id=<000001c6440e$3d624880$02cfa8c0@ybb62>
Mar 10 06:45:11 mail2 postfix/qmgr[21151]: E3BF157EA1: from=<beulahhir@xxxxxx.or.jp>, size=3451, nrcpt=1 (queue active)
Mar 10 06:45:12 mail2 postfix/smtpd[27979]: disconnect from unknown[xxx.xxx.202.132]
Mar 10 06:45:13 mail2 postfix/smtp[27984]: E3BF157EA1: to=<eepolito@stocksy.co.uk>, relay=mail.toastputer.net[69.93.127.12], delay=3, status=bounced (host mail.toastputer.net[69.93.127.12] said: 550 <eepolito@stocksy.co.uk>: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command))
Mar 10 06:45:13 mail2 postfix/cleanup[27983]: E1B5A57ED7: message-id=<20060310064513.E1B5A57ED7@mail2.toastputer.net>
Mar 10 06:45:13 mail2 postfix/qmgr[21151]: E3BF157EA1: removed
Mar 10 06:45:13 mail2 postfix/qmgr[21151]: E1B5A57ED7: from=<>, size=5454, nrcpt=1 (queue active)
Mar 10 06:45:28 mail2 postfix/smtp[27984]: E1B5A57ED7: to=<beulahhir@xxxxxx.or.jp>, relay=mailgw1.xxxxxx.or.jp[xxx.xxx.106.55], delay=15, status=sent (250 ok 1141973167 qp 27149)
Mar 10 06:45:28 mail2 postfix/qmgr[21151]: E1B5A57ED7: removed</beulahhir@xxxxxx.or.jp></eepolito@stocksy.co.uk></eepolito@stocksy.co.uk></beulahhir@xxxxxx.or.jp> 

Like a moron, I was just grepping the log for 'status=sent' where the recipient was not one of my domains. I was failing to account for bounce messages. I guess I need to read up on reducing backscatter!