Posting the whole log would be huge, it is currently at 15MB; however, here is the first instance of the SPAM being sent through one of the accounts:
Aug 23 10:01:08 postfix/smtpd[24759]: connect from <MY-SERVERNAME-HERE>
Aug 23 10:01:08 postfix/smtpd[24759]: 228E038CC4DF: client=<MY-SERVERNAME-HERE>
Aug 23 10:01:09 postfix/cleanup[29784]: 228E038CC4DF: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
Aug 23 10:01:09 postfix/qmgr[27904]: 228E038CC4DF: from=<USERNAME-HERE>, size=4108, nrcpt=503 (queue active)
Aug 23 10:01:09 postfix/smtpd[24759]: disconnect from <MY-SERVERNAME-HERE>
Aug 23 10:01:11 postfix/smtpd[29788]: connect from localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/smtpd[29788]: 2822638CC4EB: client=localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/smtpd[30658]: connect from localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/cleanup[29784]: 2822638CC4EB: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
Aug 23 10:01:13 postfix/qmgr[27904]: 2822638CC4EB: from=<USERNAME-HERE>, size=4747, nrcpt=50 (queue active)
Aug 23 10:01:13 postfix/smtpd[29788]: disconnect from localhost.localdomain[127.0.0.1]
I replaced my actual server name with "MY-SERVERNAME-HERE" and the users account with "USERNAME-HERE".
I will check the audit.log and post what I find there too.
Let me know if there is more of the zimbra.log you would like to see.  |