Hello all,

Today Ive seen in /var/log/zimbra.log that our Zimbra Server is sending a lot of emails out using many accounts that non exist in the server. Here youve an example of the log for the account lana_cantu@mydomain.com that non exist in my server:

May 2 19:18:13 server amavis[27993]: (27993-10) FWD via SMTP: <lana_cantu@mydomain.com> -> <travish3006@yahoo.com>,BODY=7BIT 250 2.0.0 Ok, id=27993-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6D8A1688324
May 2 19:18:13 server postfix/error[29088]: B6D8A1688324: to=<travish3006@yahoo.com>, relay=none, delay=0.01, delays=0/0/0/0, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.136.217.203] refused to talk to me: 421 4.7.1 [TS03] All messages from 82.98.151.39 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
May 2 19:18:13 server amavis[27993]: (27993-10) Passed CLEAN, [127.0.0.1] [127.0.0.1] <lana_cantu@mydomain.com> -> <travish3006@yahoo.com>, Message-ID: <201305021718.r42HIDR1001752@server.mydomain.com >, mail_id: SQ3PXC9+id3m, Hits: -, size: 977, queued_as: B6D8A1688324, 70 ms
May 2 19:18:13 server postfix/smtp[1750]: 9CFB71688315: to=<travish3006@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.12, delays=0.05/0/0/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=27993-10, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B6D8A1688324)
May 2 19:18:13 server postfix/qmgr[23022]: 9CFB71688315: removed
May 2 19:18:14 server postfix/smtp[24274]: AA24D1688322: to=<travisgulley@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.67.27]:25, delay=3.3, delays=0.01/0/0.28/3, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.67.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/a...py?answer=6596 r5si847676wij.23 - gsmtp (in reply to RCPT TO command))
May 2 19:18:14 server postfix/cleanup[589]: 0D3411688325: message-id=<20130502171814.0D3411688325@server.mydomain.co m>
May 2 19:18:14 server postfix/qmgr[23022]: 0D3411688325: from=<>, size=3979, nrcpt=1 (queue active)
May 2 19:18:14 server postfix/bounce[32259]: AA24D1688322: sender non-delivery notification: 0D3411688325
May 2 19:18:14 server postfix/qmgr[23022]: AA24D1688322: removed
May 2 19:18:14 server postfix/error[24068]: 0D3411688325: to=<lana_cantu@mydomain.com>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.0.0, status=bounced (mydomain.com)
May 2 19:18:14 server postfix/qmgr[23022]: 0D3411688325: removed
May 2 19:18:14 server postfix/smtp[23894]: 358FB1688320: to=<travish2008@hotmail.com>, relay=mx3.hotmail.com[65.55.92.152]:25, delay=1.3, delays=0/0/0.57/0.68, dsn=2.0.0, status=sent (250 <201305021718.r42HICUx001749@server.mydomain.com > Queued mail for delivery)
May 2 19:18:14 server postfix/qmgr[23022]: 358FB1688320: removed
May 2 19:18:17 server clamd[1697]: SelfCheck: Database status OK.
May 2 19:18:19 server sendmail[32258]: r42HH4M1032258: from=maggie_padilla@mydomain.com, size=404, class=0, nrcpts=1, msgid=<201305021717.r42HH4M1032258@server.mydomain .com>, relay=www-data@localhost
May 2 19:18:19 server sendmail[32258]: r42HH4M1032258: to=tamilanda13@gmaill.com, delay=00:01:15, mailer=esmtp, pri=30404, dsn=4.4.3, stat=queued
May 2 19:18:28 server sendmail[1759]: r42HIS63001759: Authentication-Warning: server.mydomain.com: www-data set sender to lana_cantu@mydomain.com using -f
May 2 19:18:28 server sendmail[1759]: r42HIS63001759: from=lana_cantu@mydomain.com, size=401, class=0, nrcpts=1, msgid=<201305021718.r42HIS63001759@server.mydomain .com>, relay=www-data@localhost
May 2 19:18:28 server postfix/smtpd[23798]: connect from localhost.localdomain[127.0.0.1]
May 2 19:18:28 server postfix/smtpd[23798]: setting up TLS connection from localhost.localdomain[127.0.0.1]
May 2 19:18:28 server postfix/smtpd[23798]: Anonymous TLS connection established from localhost.localdomain[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
May 2 19:18:28 server sendmail[1759]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
May 2 19:18:28 server postfix/smtpd[23798]: E400F1688315: client=localhost.localdomain[127.0.0.1]
May 2 19:18:28 server postfix/cleanup[589]: E400F1688315: message-id=<201305021718.r42HIS63001759@server.mydomain.co m>
May 2 19:18:28 server postfix/qmgr[23022]: E400F1688315: from=<lana_cantu@mydomain.com>, size=963, nrcpt=1 (queue active)
May 2 19:18:28 server sendmail[1759]: r42HIS63001759: to=1doodoo26tx@hotmail.com, ctladdr=lana_cantu@mydomain.com (502/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30401, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as E400F1688315)
May 2 19:18:28 server amavis[22015]: (22015-12) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20130502T190859-22015: <lana_cantu@mydomain.com> -> <1doodoo26tx@hotmail.com> SIZE=963 BODY=8BITMIME Received: from server.mydomain.com ([127.0.0.1]) by localhost (server.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <1doodoo26tx@hotmail.com>; Thu, 2 May 2013 19:18:28 +0200 (CEST)
May 2 19:18:28 server postfix/smtpd[23798]: disconnect from localhost.localdomain[127.0.0.1]
May 2 19:18:29 server amavis[22015]: (22015-12) Checking: BHSai9fpAH0e [127.0.0.1] <lana_cantu@mydomain.com> -> <1doodoo26tx@hotmail.com>
May 2 19:18:29 server amavis[22015]: (22015-12) Open relay? Nonlocal recips but not originating: 1doodoo26tx@hotmail.com


**Where the address lana_cantu@mydomain.com is not really in my server. Now the server is in the Yahoo and Hotmail Blacklist and all the emails are SPAMED.

All the issues Ive donde today trying to solve the problem are:

1.- Chek if the server is Open Relay with some internet tester and Its not
2.- Verify that is configured with the right networks, following the link ZimbraMtaMyNetworks - Zimbra :: Wiki. And its OK:
[zimbra@server ~]$ zmprov getServer server.mydomain.com | grep zimbraMtaMyNetworks
zimbraMtaMyNetworks: 127.0.0.0/8 82.98.15X.XX/32
--> but the problem is that the email server is sending mails out from 127.0.0.1 ....
3.- check the right Auth system:
$ zmprov getServer server.mydomain.com | grep -i auth
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: server.mydomain.com
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: http://server.mydomain.com:80/service/soap/
zimbraMtaSaslAuthEnable: yes
zimbraMtaTlsAuthOnly: TRUE

What could more may do?? It a huge problem for my company because the mail server is banned by Yahoo and Hotmail

Please, any help would be really appreciated

Regards,
Miguel A.Velasco