My Postfix installation is sending out spam; how to stop it?

Pravin offers some good general points, but doesn't really elaborate on any of them and doesn't address your likely actual problems.

First, you need to find out how postfix is receiving those messages and why it's choosing to relay them (the two questions are very likely related).

The best way to do it is by looking at the message ID of any one of the messages and then grepping the mail.log file for all log entries regarding it. This will tell you at the very least where the message came from and what postfix did with it right up until it left its care and went on into the world. Here's a (redacted) sample excerpt:

Mar 26 00:51:13 vigil postfix/smtpd[9120]: 3B7085E038D: client=foo.bar.com[1.2.3.4]
Mar 26 00:51:13 vigil postfix/cleanup[9159]: 3B7085E038D: message-id=<------------@someserver>
Mar 26 00:51:13 vigil postfix/qmgr[5366]: 3B7085E038D: from=<[email protected]>, size=456346, nrcpt=2 (queue active)
Mar 26 00:51:13 vigil postfix/lmtp[9160]: 3B7085E038D: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.3, delays=0.11/0/0/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=04611-19, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6EA115E038F)
Mar 26 00:51:13 vigil postfix/qmgr[5366]: 3B7085E038D: removed

This tells me the following things:

  1. The message came in from foo.bar.com, a server with IP address 1.2.3.4 calling itself foo.bar.com
  2. (Implied by the lack of warnings) According to forward and reverse DNS, that address does indeed match that name.
  3. The message was meant for a user named [email protected], which the server decided was an acceptable destination address.
  4. As per its configuration, the mail server relayed the message through 127.0.0.1:10024 (our spam/virus filter) for further processing.
  5. The filter said "Okay, I'll queue this as message with ID 6EA115E038F and handle it from here."
  6. Having received this confirmation, the main server declared it was done and removed the original message from the queue.

Now, once you know how the message got into the system you can start finding out where the problem lies.

  • If it came from elsewhere and was relayed to somewhere else entirely, postfix is currently functioning as an open relay. This is very, very bad and you should tighten up your smtpd_recipient_restrictions and smtpd_client_restrictions settings in /etc/postfix/main.cf.

  • If it came in from localhost, it's very likely that one webhosting user or another has been compromised with a php script that sends out spam on demand. Use the find command to look for .php files that were recently added or altered, then take a good look at any suspicious names.

Anything more specific will depend too much on the outcome of the above investigation so it's pointless to attempt to elaborate. I will leave you with the more general admonishment to at the very least install and configure postgrey at earliest opportunity.