I found a couple of questionable entries in the audit log. Specifically, connections showing the user agent as Opera for a user who I KNOW does not use Opera. However, as stated, I had this user change their password, then I locked their account, and I have restarted Zimbra via zmcontrol stop - zmcontrol start; and the occurances of
Aug 23 10:23:39 postfix/smtpd[8466]: 79AFA38CC510: client=localhost.localdomain[127.0.0.1]
Aug 23 10:23:40 postfix/cleanup[8467]: 79AFA38CC510: message-id=<14619962.18031187882614894.JavaMail.root@serve r.domain.net>
Aug 23 10:23:41 postfix/qmgr[27904]: 79AFA38CC510: from=<user@domain.net>, size=2604, nrcpt=50 (queue active)
Aug 23 10:23:41 amavis[30718]: (30718-04) ...user@domain.com>,<user@domain.com>,<user@domain .com>,<user@domain.com>,<user@domain.com>,<user@do main.com>,<user@domain.com>,<user@domain.com>,<use r@domain.com>,<user@domain.com>,<user@domain.com>, <user@domain.com>, BODY=8BITMIME 250 2.6.0 Ok, id=30718-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 79AFA38CC510
Aug 23 10:23:42 amavis[30718]: (30718-04) ...<user@domain.com>,<user@domain.com>,<user@domai n.com>,<user@domain.com>,<user@domain.com>,<user@d omain.com>,<user@domain.com>, Message-ID: <14619962.18031187882614894.JavaMail.root@server.d omain.net>, mail_id: oK5FMW07jrVP, Hits: -3.252, queued_as: 79AFA38CC510, 5452 ms
Aug 23 10:23:41 postfix/smtp[8523]: 79AFA38CC510: to=<user@domain.com>, relay=mx.mailanyone.net[208.70.128.223], delay=2, status=sent (250 OK id=1IOEbo-0000SM-6B)
Aug 23 10:23:42 postfix/smtp[8517]: 79AFA38CC510: to=<user@domain.com>, relay=mail.xecu.net[216.127.136.211], delay=3, status=sent (250 2.0.0 Ok: queued as 8EA4576A5F3)
.
.
.
..more...
Keep happening; even with a locked account - AND I have changed the Postfix policy to limit recipients to 49.
Last edited by msf004 : 08-23-2007 at 11:31 PM.
Reason: hide email addresses
|