I host my own mail server using postfix/dovecot. Recently, I've gotten a few "email rejected" emails acting like my server sent spam from an account that doesn't exist on my server. I've searched through /var/log/mail.log for any occurrences of that account name, or the receiving server's name, etc, but can't find anything. So the possibilities I can come up with are either:
- these are fake rejection emails being sent to me for some reason
- I'm not searching for the right stuff in the logs, or not searching the right logs, etc
- Somehow my server is sending email without logging it
Is there any way to really confirm which one of these is the case? I don't want my host to get mad at me for unknowingly relaying spam
For reference, I've tried commands like:
cat mail.log |grep -v "relay=local" |grep "relay=" |grep "status=sent"
cat mail.log | grep submission
grep -o 'to=<[^@]@.[^>]' /var/log/mail.log
cat mail.log | grep <HOST URL>
cat mail.log | grep <SENDER USER NAME>
I also added default_transport = error: This server sends mail only locally. to my postfix/main.cf file, which supposedly disables all outbound mail, but still got another 'email rejected' type mail returned the next day
Postfix should log each processed message ID. The bounces/NDRs you receive should (at least) reference the original message ID - comparing that with your logs tells you whether the alleged mail came from your server or whether it was simply forged. As @dave_thompson has pointed out, it's also possible that the whole NDR is fake.
Using schemes like SPF, DKIM and/or DMARC 'protects' your domain from being abused by spammers - if you haven't already done so you might want to look into that.