DevHeads.net

Limiting mail relay

All,

I am trying to understand how I am being a mail relay for (what I believe)
are unauthorized users. I have the following postfix config set -

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication,
reject_unauth_destination

mynetworks_style = subnet

However, an account seemingly seems to be used as a relay. The user is
complaining about seeing tons of MAIL REJECT messages. The logs are
showing -

Oct 5 00:00:02 ns postfix/smtpd[65859]: BB829A32C24:
client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Oct 5 00:00:03 ns postfix/cleanup[65877]: BB829A32C24: message-id=<
2C64D5D9-682C-4FE8-E0D9- ... at mahan dot org>
Oct 5 00:00:03 ns postfix/qmgr[1159]: BB829A32C24: from=<
... at mahan dot org>, size=772, nrcpt=1 (queue active)
Oct 5 00:00:04 ns postfix/smtpd[65859]: 56778A32C28:
client=unknown[37.114.181.42], sasl_method=LOGIN, sasl_username=tracy
Oct 5 00:00:04 ns postfix/smtp[65958]: BB829A32C24: to=< ... at rot dot com.au>,
relay=in.hes.trendmicro.com[54.219.191.21]:25, delay=1.9,
delays=1/0/0.54/0.33, dsn=5.7.1, status=bounced (host
in.hes.trendmicro.com[54.219.191.21]
said: 550 5.7.1 < ... at rot dot com.au>: Recipient address rejected: ERS-RBL.
(in reply to RCPT TO command))
Oct 5 00:00:04 ns postfix/cleanup[65994]: A949BA32C39: message-id=<
20191005070004. ... at ns dot mahan.org>
Oct 5 00:00:04 ns postfix/bounce[65883]: BB829A32C24: sender non-delivery
notification: A949BA32C39
Oct 5 00:00:04 ns postfix/qmgr[1159]: A949BA32C39: from=<>, size=2793,
nrcpt=1 (queue active)
Oct 5 00:00:04 ns postfix/qmgr[1159]: BB829A32C24: removed

And in the mail queue I am seeing messages like the following -

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
E21FBA2E08E* 4104 Sat Oct 5 23:01:33 <a href="mailto:kevin. ... at mahan dot org">kevin. ... at mahan dot org</a>
<a href="mailto: ... at tparinger dot co.uk"> ... at tparinger dot co.uk</a>

07DA9A2E084 2581 Sat Oct 5 22:09:16 <a href="mailto: ... at mahan dot org"> ... at mahan dot org</a>
(host mx.tiscali.co.uk[62.24.139.42] refused to talk to me: 554 cm9gb1
mx.talktalk.net GzNGiJaFdim2n IP Blacklisted (TT104)
<a href="http://csi.cloudmark.com/reset-request/?ip=23.24.207.145" title="http://csi.cloudmark.com/reset-request/?ip=23.24.207.145">http://csi.cloudmark.com/reset-request/?ip=23.24.207.145</a>)
<a href="mailto: ... at tiscali dot co.uk"> ... at tiscali dot co.uk</a>

0633AA2E117 1942 Sat Oct 5 22:51:06 <a href="mailto: ... at mahan dot org"> ... at mahan dot org</a>
(host mxa-00002a01.gslb.pphosted.com[208.84.65.123] refused to talk to me:
554 Blocked - see <a href="https://ipcheck.proofpoint.com/?ip=23.24.207.145" title="https://ipcheck.proofpoint.com/?ip=23.24.207.145">https://ipcheck.proofpoint.com/?ip=23.24.207.145</a>)
<a href="mailto:uk. ... at westernunion dot co.uk">uk. ... at westernunion dot co.uk</a>

07483A2E094 1319 Sat Oct 5 22:31:58 <a href="mailto: ... at mahan dot org"> ... at mahan dot org</a>
(host newsmtp1.sabah.com.tr[194.36.160.8] refused to talk to me: 554
Blocked - see
<a href="https://support.proofpoint.com/dnsbl-lookup.cgi?ip=23.24.207.145" title="https://support.proofpoint.com/dnsbl-lookup.cgi?ip=23.24.207.145">https://support.proofpoint.com/dnsbl-lookup.cgi?ip=23.24.207.145</a>)
<a href="mailto:idil. ... at sabah dot com.tr">idil. ... at sabah dot com.tr</a>

0D34CA2E093 776 Sat Oct 5 22:15:26 <a href="mailto: ... at mahan dot org"> ... at mahan dot org</a>
(lost connection with mx201.skynet.be[195.238.20.25] while receiving the
initial server greeting)
<a href="mailto: ... at skynet dot be"> ... at skynet dot be</a>

None of those usernames at mahan.org exists.

It looks like I am being used as a spam relay, but thought I had closed
that hole.

Pointers? Documentation? I have obviously mis-configured it.

My environment is FreeBSD 11.2-RELEASE-p7 amd64. Postfix 3.3.2.

Thanks,

Patrick Mahan