Hi,

Am facing an issue on our mail server where by users can login to their inbox but no new mails are coming to their inbox.

When i decided to look on the logs, i saw zimbra admin account (admin@domain.com) seems to be compromised by spam. I see weird mail(fgagfjatd@mail.com) sending mails to admin@domain.com

Now how can i get rig of this problem.

There are total of 450 mailboxes.

Queue is about 64,835

This is how the server is configured so far.

Zimbra Version
Code:
Release 8.0.2.GA.5569.UBUNTU10.64 UBUNTU10_64 NETWORK edition.
Zimbra is setup to accept TLS Authentication only
Enable authentication=TRUE
TLS authentication only=TRUE

MTA Trusted Networks
Code:
127.0.0.0/8 192.168.0.5/32
zimbraMtaRestriction
Code:
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_non_fqdn_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client reject_rbl_client dnsbl.njabl.org
zimbraMtaRestriction: reject_rbl_client reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client reject_rbl_client bl.spamcop.ne
zimbraMtaRestriction: reject_rbl_client          reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: reject_rbl_client reject_rbl_client sbl.spamhaus.org
zimbraMtaRestriction: reject_rbl_client reject_rbl_client relays.mail-abuse.org
Now this is what i see from /var/log/zimbra.log
Code:
Oct 10 12:55:08 mail postfix/smtpd[3982]: A632425E869A: client=localhost.localdomain[127.0.0.1]
Oct 10 12:55:08 mail postfix/cleanup[13466]: A632425E869A: message-id=<C524e193400fb@MSD-MARSHAL.msd.com>
Oct 10 12:55:08 mail amavis[29589]: (29589-01-34) FWD from <> -> <fgagfjatd@mail.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A632425E869A
Oct 10 12:55:08 mail postfix/smtpd[3982]: B2FDA25E8707: client=localhost.localdomain[127.0.0.1]
Oct 10 12:55:08 mail postfix/cleanup[13573]: B2FDA25E8707: message-id=<C524e193400fb@MSD-MARSHAL.msd.com>
Oct 10 12:55:08 mail amavis[29589]: (29589-01-34) FWD from <> -> <admin@msd.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B2FDA25E8707
Oct 10 12:55:08 mail amavis[29589]: (29589-01-34) Passed CLEAN {RelayedInbound,RelayedOpenRelay}, [192.168.0.6]:44991 [192.168.0.6] <> -> <fgagfjatd@mail.com>,<admin@msd.com>, Queue-ID: 0DC2F255E033, Message-ID: <C524e193400fb@MSD-MARSHAL.msd.com>, mail_id: qNbd6YHVX3rb, Hits: 4.227, size: 1899, queued_as: A632425E869A/B2FDA25E8707, 5143 ms
Oct 10 12:55:08 mail postfix/smtp[9988]: 0DC2F255E033: to=<fgagfjatd@mail.com>, orig_to=<admin@msd.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=34, delay=13212, delays=5586/7620/0.01/5.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A632425E869A)
Oct 10 12:55:08 mail postfix/smtp[9988]: 0DC2F255E033: to=<admin@msd.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=34, delay=13212, delays=5586/7620/0.01/5.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as A632425E869A)
Oct 10 12:55:08 mail postfix/qmgr[3385]: 0DC2F255E033: removed
And from mail.log
Code:
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<hmaruzuku@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<hmaruzuku@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<hmchunga@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<hmchunga@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5809]: NOQUEUE: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<root@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5809]: NOQUEUE: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<root@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5809]: NOQUEUE: reject: RCPT from unknown[192.168.0.6]: 550 5.1.1 <root@msd.com>: Recipient address rejected: msd.com; from=<> to=<root@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5809]: disconnect from unknown[192.168.0.6]
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<inderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<inderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: reject: RCPT from unknown[192.168.0.6]: 550 5.1.1 <inderimo@msd.com>: Recipient address rejected: msd.com; from=<> to=<inderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<info@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<info@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<jmakani@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<jmakani@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: reject: RCPT from unknown[192.168.0.6]: 550 5.1.1 <jmakani@msd.com>: Recipient address rejected: msd.com; from=<> to=<jmakani@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5809]: connect from unknown[192.168.0.6]
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<> to=<lnderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>
Oct 10 10:04:56 mail postfix/smtpd[5800]: D77B526096F1: filter: RCPT from unknown[192.168.0.6]: <>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<> to=<lnderimo@msd.com> proto=SMTP helo=<MSD-MARSHAL.msd.com>

Any ideas on how to solve this?

Regards