Which user are my php scripts sending email as?

What is the "From" address in the /var/log/maillog for that emails? First part of the "From" address is a name of the local user. I bet it is apache if you are on CentOS and www-data if you are on Debian.

There is quite a few points to what you're asking.

Firstly the concept of the "From:" line isn't straight forward, as when you send a message you can write what ever Envelope address you want on the message (the -f flag on the sendmail command). This is how you can send mail from domains/accounts that don't exist (noreply@ etc).

However essentially your server will always trust itself (hence being able to send mail without authentication) locally. This is a key point, and one spammers use to the maximum when exploiting servers.

In a postfix config this may look like this:

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks

This line essentially reads: allow authenticated users, allow local users.

However what is worth pointing out is that when you generate mail locally it normally won't be sent using SMTP, instead it will be injected directly into the mail queue of the local box using sendmail (or equivalent), as such it can bypass a lot of systems that would be in place for external users.

So presuming your user is just using the mail() function in PHP, you'll need to disable local mail injection and have all mail "relayed" via SMTP (rather than injected) through the box (or another box if you wanted). This can be done in your php.ini I presume (not done it myself though).

That way you can then put restrictions in place on your mail server to limit accounts and they can't bypass them by just dumping mail into the local queue.