Spam on 127.0.0.1 interface

Receiving mail on 127.0.0.1 is not unusual and not necessarily an indication of any problem. The total mail service on OS X Server has a number of components which 'hand over' to each other using TCP/IP over localhost (127.0.0.1) address which, by the way, is impossible to route to from the Internet.

You can see this yourself if you have a look at any email in Apple Mail and choose menu - View | Message | Raw Source. You will see a number of handoffs from Spamassassin, Amavis & Postfix. The only instance where 'server.example.com' is not the 127.0.0.1 address is the one at the bottom (in red) where the external IP address of my site is contacted by the Apple mailserver.

Don't think you have anything to worry about.

============== PART OF RAW EMAIL HEADER ==================

Return-Path: <discusswatch@apple.com>

Delivered-To: nemo@example.com

Received: from localhost (localhost [127.0.0.1])

by server.example.com (Postfix) with ESMTP id ZZZZZZZZZZ

for <nemo@example.com>; Fri, 22 Feb 2013 04:41:36 +0100 (CET)

X-Virus-Scanned: amavisd-new at example.com

Received: from server.example.com ([127.0.0.1])

by localhost (server.example.com [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id ZZZZZZZZZZ for <nemo@example.com>;

Fri, 22 Feb 2013 04:41:36 +0100 (CET)

Received: from bz.apple.com (redstreak.apple.com [17.151.62.54])

by server.example.com (Postfix) with ESMTPS id ZZZZZZZZZZ

for <nemo@example.com>; Fri, 22 Feb 2013 04:41:36 +0100 (CET)

MIME-version: 1.0

Content-disposition: inline

Content-type: multipart/mixed; boundary="Boundary_(ID_ZZZZZZZZZZ)"

Received: from nwk-jivep-lapp24.corp.apple.com ([17.34.26.112])

by bz.apple.com (Oracle Communications Messaging Server 7u4-23.01(7.0.4.23.0)

64bit (built Aug 10 2011)) with ESMTP id <ZZZZZZZZZZ@bz.apple.com> for

nemo@example.com; Thu, 21 Feb 2013 19:41:24 -0800 (PST)

Date: Thu, 21 Feb 2013 19:41:24 -0800

From: Apple Support Communities Updates <discussions-updates@apple.com>

Reply-to: discussions-replies <discussions-replies@apple.com>

To: Nemo <nemo@example.com>

I'm tracking this same behavior as I clean a server up.

Traffic from home (127.0.0.1) can be from an account that has been pooched and is accessed via webmail. Right now, I see some spam traffic going out of a live server that I suspect is coming from webmail (or a pooched Wordpress install). Turning off imap isn't a great option, as several clients on the machine use it (and the webmail will not function without imap running).

Difficult to determine the source at the moment, but we're still collecting logs.

Just to add...

In the course of a normal email delivery you should see in logs connection from localhost. This is however after the client has connected to the mail server (for example from an external network) and delivered an email.

Below is an anonymised log fragment from my server which shows a normal communication:

• connection from host
• valid login of user via SASL
• message gets accepted
• next there is connection to Postfix from localhost which most likely be spamassissin daemon
• message is delivered

If you are seeing connections from localhost and emails you know nothing about being injected into Postfix from localhost it may be that your user account has been hacked and spammers are injecting spam for relay. Look in log for occurances of text like in red below (change to your username). If you are seeing lots of connections you know are not valid immediately change your account password in OS X server.

Apr 5 16:55:29 server.example.com postfix/smtpd[82546]: connect from unknown[123.123.123.123]

Apr 5 16:55:29 server.example.com postfix/smtpd[82546]: E7F3F1634E22: client=unknown[123.123.123.123], sasl_method=CRAM-MD5, sasl_username=fred

Apr 5 16:55:30 server.example.com postfix/cleanup[82550]: E7F3F1634E22: message-id=<E61E3D86-BC73-4F45-8099-C1D4ED1B4C74@example.com>

Apr 5 16:55:30 server.example.com postfix/qmgr[80216]: E7F3F1634E22: from=<fred@example.com>, size=631, nrcpt=2 (queue active)

Apr 5 16:55:30 server.example.com postfix/smtpd[82553]: connect from localhost[127.0.0.1]

Apr 5 16:55:30 server.example.com postfix/smtpd[82553]: 34FDB1634E2F: client=localhost[127.0.0.1]

Apr 5 16:55:30 server.example.com postfix/cleanup[82550]: 34FDB1634E2F: message-id=<E61E3D86-BC73-4F45-8099-C1D4ED1B4C74@example.com>

Apr 5 16:55:30 server.example.com postfix/smtpd[82553]: disconnect from localhost[127.0.0.1]

Apr 5 16:55:30 server.example.com postfix/qmgr[80216]: 34FDB1634E2F: from=<fred@example.com>, size=1041, nrcpt=2 (queue active)

Apr 5 16:55:30 server.example.com postfix/smtp[82551]: E7F3F1634E22: to=<sally@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.29, delays=0.14/0.01/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:100

25): 250 2.0.0 Ok: queued as 34FDB1634E2F)