Postfix sending spam from BR-DOCKER interface

dborg89

Hello,
My mailcow container has been sending spam out recently.
The server is not an open relay nor does it allow unauthed email from anywhere but the docker network (host server obviously included).
It is using the mailserver’s TLD and random usernames as the sender, meaning it is getting SPF and DKIM affixed to the outbound mail and as a result of this the server is on RBL’s.

I have tried clamping the server down (short of closing off port 25), but can’t find the source of the spam source (I have no PHP , Webserver or SQL instance running outside of the mailcow setup).

I have also set up debug 3 to try and catch the spammer source.

Any help/ideas would be awesome!

Postfix Log

07/07/2025, 03:34:30 AM info check_server_access: MX r001@r-domain.tld
07/07/2025, 03:34:30 AM info generic_checks: name=check_recipient_mx_access
07/07/2025, 03:34:30 AM info >>> START Recipient address RESTRICTIONS <<<
07/07/2025, 03:34:30 AM info >>> END Recipient address RESTRICTIONS <<<
07/07/2025, 03:34:30 AM info generic_checks: name=permit_mynetworks status=1
07/07/2025, 03:34:30 AM info smtpd_acl_permit: smtpd_log_access_permit_actions: no match
07/07/2025, 03:34:30 AM info match_list_match: permit_mynetworks: no match
07/07/2025, 03:34:30 AM info smtpd_acl_permit: checking smtpd_log_access_permit_actions settings
07/07/2025, 03:34:30 AM info match_hostaddr: mynetworks: 172.22.1.1 ~? 172.22.1.0/24
07/07/2025, 03:34:30 AM info match_hostname: mynetworks: unknown ~? 172.22.1.0/24
07/07/2025, 03:34:30 AM info match_hostaddr: mynetworks: 172.22.1.1 ~? 127.0.0.0/8
07/07/2025, 03:34:30 AM info match_hostname: mynetworks: unknown ~? 127.0.0.0/8
07/07/2025, 03:34:30 AM info permit_mynetworks: unknown 172.22.1.1
07/07/2025, 03:34:30 AM info generic_checks: name=permit_mynetworks
07/07/2025, 03:34:30 AM info generic_checks: name=permit_sasl_authenticated status=0
07/07/2025, 03:34:30 AM info generic_checks: name=permit_sasl_authenticated
07/07/2025, 03:34:30 AM info >>> START Recipient address RESTRICTIONS <<<
07/07/2025, 03:34:30 AM info >>> END Sender address RESTRICTIONS <<<
07/07/2025, 03:34:30 AM info generic_checks: name=permit_mynetworks status=1
07/07/2025, 03:34:30 AM info smtpd_acl_permit: smtpd_log_access_permit_actions: no match
07/07/2025, 03:34:30 AM info match_list_match: permit_mynetworks: no match
07/07/2025, 03:34:30 AM info smtpd_acl_permit: checking smtpd_log_access_permit_actions settings
07/07/2025, 03:34:30 AM info match_hostaddr: mynetworks: 172.22.1.1 ~? 172.22.1.0/24
07/07/2025, 03:34:30 AM info match_hostname: mynetworks: unknown ~? 172.22.1.0/24
07/07/2025, 03:34:30 AM info match_hostaddr: mynetworks: 172.22.1.1 ~? 127.0.0.0/8
07/07/2025, 03:34:30 AM info match_hostname: mynetworks: unknown ~? 127.0.0.0/8
07/07/2025, 03:34:30 AM info permit_mynetworks: unknown 172.22.1.1
07/07/2025, 03:34:30 AM info generic_checks: name=permit_mynetworks
07/07/2025, 03:34:30 AM info >>> START Sender address RESTRICTIONS <<<
07/07/2025, 03:34:30 AM info >>> END Client host RESTRICTIONS <<<
07/07/2025, 03:34:30 AM info generic_checks: name=permit_mynetworks status=1
07/07/2025, 03:34:30 AM info smtpd_acl_permit: smtpd_log_access_permit_actions: no match
07/07/2025, 03:34:30 AM info match_list_match: permit_mynetworks: no match
07/07/2025, 03:34:30 AM info smtpd_acl_permit: checking smtpd_log_access_permit_actions settings
07/07/2025, 03:34:30 AM info match_hostaddr: mynetworks: 172.22.1.1 ~? 172.22.1.0/24
07/07/2025, 03:34:30 AM info match_hostname: mynetworks: unknown ~? 172.22.1.0/24
07/07/2025, 03:34:30 AM info match_hostaddr: mynetworks: 172.22.1.1 ~? 127.0.0.0/8
07/07/2025, 03:34:30 AM info match_hostname: mynetworks: unknown ~? 127.0.0.0/8
07/07/2025, 03:34:30 AM info permit_mynetworks: unknown 172.22.1.1
07/07/2025, 03:34:30 AM info generic_checks: name=permit_mynetworks
07/07/2025, 03:34:30 AM info >>> START Client host RESTRICTIONS <<<
07/07/2025, 03:34:30 AM info extract_addr: in: r001@r-domain.tld, result: r001@r-domain.tld
07/07/2025, 03:34:30 AM info ctable_locate: install entry key z8user01@example.com?r001@r-domain.tld
07/07/2025, 03:34:30 AM info resolve_clnt: z8user01@example.com’ -> r001@r-domain.tld’ -> transp=smtp’ host=r-domain.tld’ rcpt=r001@r-domain.tld’ flags= class=default
07/07/2025, 03:34:30 AM info send attr address = r001@r-domain.tld
07/07/2025, 03:34:30 AM info send attr sender = z8user01@example.com
07/07/2025, 03:34:30 AM info rewrite_clnt: local: r001@r-domain.tld -> r001@r-domain.tld
07/07/2025, 03:34:30 AM info send attr address = z8user01@example.com
07/07/2025, 03:34:30 AM info rewrite_clnt: local: z8user01@example.com -> z8user01@example.com
07/07/2025, 03:34:30 AM info smtpd_check_addr: addr=r001@r-domain.tld
07/07/2025, 03:34:30 AM info extract_addr: input: r001@r-domain.tld
07/07/2025, 03:34:30 AM info < unknown[172.22.1.1]: RCPT TO:r001@r-domain.tld

*** ENVELOPE RECORDS active/90B494873F2 ***
message_size: 560 1573 10 0 560 0
message_arrival_time: Mon Jul 7 00:23:31 2025
create_time: Mon Jul 7 00:23:33 2025
named_attribute: log_ident=90B494873F2
named_attribute: rewrite_context=remote
sender: u001@example.com
named_attribute: log_client_name=unknown
named_attribute: log_client_address=172.22.1.1
named_attribute: log_client_port=34182
named_attribute: log_message_origin=unknown[172.22.1.1]
named_attribute: log_helo_name=smtp.example.com
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=172.22.1.1
named_attribute: client_port=34182
named_attribute: server_address=172.22.1.253
named_attribute: server_port=25
named_attribute: helo_name=smtp.example.com
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
warning_message_time: Mon Jul 7 04:23:31 2025

Mailq

-Queue ID- –Size– —-Arrival Time—- -Sender/Recipient——-
03FF2413868 818 Mon Jul 7 01:32:45 u001@example.com
(Host or domain name not found. Name service error for name=r-ext1.tld type=AAAA: Host not found, try again)
r001@r-ext1.tld

A19A84108CE 880 Mon Jul 7 01:33:13 u002@example.com
(Host or domain name not found. Name service error for name=r-ext1.tld type=MX: Host not found, try again)
r001@r-ext1.tld

64D7C4155A9 812 Mon Jul 7 01:32:16 u003@example.com
(Host or domain name not found. Name service error for name=r-ext1.tld type=AAAA: Host not found, try again)
r001@r-ext1.tld

6F5E2410694 621 Mon Jul 7 01:33:39 u004@example.com
(Host or domain name not found. Name service error for name=r-ext1.tld type=MX: Host not found, try again)
r001@r-ext1.tld

9B472410686 871 Mon Jul 7 01:33:14 u005@example.com
(Host or domain name not found. Name service error for name=r-ext1.tld type=MX: Host not found, try again)
r001@r-ext1.tld

Thanks in advance

ETNyx

Well,.. First of all what OS are you using, is your OS, Docker and MC updated (this is important for rest of us, if you are running latest we can be at risk too,…)

Second yes logs does not show much,… Did you try search your processes? Like using ps, htop to search for suspicious process?

dborg89

ETNyx
OS = 12 (bookworm)
Docker = Docker version 28.3.1, build 38b7060
Mailcow - commit d1eb8e92967006926d6dea2699b1990c1173e4c5 (HEAD -> master)
Author: moo moo@cow.moo
Date: Sun Jul 6 10:39:36 2025 -0400

Before update on 2025-07-06_10_38_29

I had tried monitoring processes on the host and ran malware scans, rootkit checks and nothing came up.

I have since stopped the postfix service and made a container that is running a python SMTP trap to collect more information as the logging was a little painful in the mailcow UI.

I am seeing a large amount of SOCKS (I have no proxy running and there is no open port for it either)…

The concerning one is the emails coming from the bridge gateway address (172.22.1.1), there is still no evidence of source outside of the IP.

=== SMTP TRAP HIT ===
Time : 2025-07-10 22:35:15.352250
Client IP : 172.22.1.1
MAIL FROM : choyztk@MYDOMAIN.TLD
RCPT TO : VICTIM@DOMAIN.com.br
Message:
From: choyztk@MYDOMAIN.TLD
Subject: smtp.MYDOMAIN.TLD:25:0:127.0.0.1:1080:socks5:25
To: VICTIM@DOMAIN.com.br
Reply-To: SPAMMERADDR@DOMAIN.com
Date: Fri, 11 Jul 2025 07:35:15 +0900

blsldn hzggjblxbke efjfujtntfb plgygclymu

qihnaonnn kwbmfquv vbnwu cnqgdvpvf
mtoappgg xxaje nrazgcqd ufotmr
jckci dnhhsnmk kawbyc rnzlholkw
kceujszcf myuzgcv kcbdxhpgdbe qraiawntnb
wfzmdmkgx dtngjba bwulafvkduj hltpdvsxnu

mbeddmwsvdh xhbxpgodot mexhkeao bzhgja

==================================================

I am kind of at my wits end because I never had this happen with my previous mail server but since moving to mailcow something has change/opened up and no matter what I think or try I can’t find the source of the spam.

DocFraggle

Is this a plain installation following the official mailcow docs? Or are you running a special setup?

Did you check your server with https://mxtoolbox.com/SuperTool.aspx?action=smtp%3Afqdn.of.your.mail.server&run=toolpage to determine if it’s an open relay? You wrote it above, but did you really check it?

ETNyx

Well, if it comes from docker bridge than i would guess culprit is hidden somewhere in docker (?) I would try something like this:

Ttry too live capture network traffic something like this sudo tcpdump -i docker0 tcp port 25 -n once you find source you can search your docker network sudo docker network ls, sudo docker network inspect mailcow-network get in docker exec -it mailcow-something bash search for suspicious processes ps auxf who is bindig port 25 lsof -i :25 find outgoing SMTP sockets netstat -plant (commands are writen from head so modifying will be necessary)