We have a huge trouble .. Our mac server makes a spam delivery. Our IP already blacklisted in about a dozen of servers (checked with http://mxtoolbox.com/). We have another computers in the same networks, including PC. What I already did and discovered:
- I found a spam emails in the "Server Admin app"->Mail->Maintenance->Mail Queue (attached image).
- I managed to get one of those email from /var/spool/postfix/ folder. Here is the link - simple HTML file (http://www.sendspace.com/file/wbyjov). Didn't find anything useful there, like IP address..
- I searched for malware with ClamXav on the server - with no help
- I re-checked PC computers with antiviruses - with no help
Also, the fact that these emails appears in "Mail Queue" means that Mac OS server sends them by itself, right? Or is it possible that another computer in the same network sends them?
Thank you in advance for you answers!!!!
I'd guess an exposed password. (See below.)
Garbage? That's surprising. There should be a large selection of logs visible there, including the logs visible viua the Server Admin.app "keyhole" view of the logs. I greatly prefer Console.app, as what Server Admin.app shows for log contents is practically useless; it's a far too small window into what's going on with far too short a recall of events. You will need to select the particular logs related to the mail server in the left navigation of Console.app, rather than looking at the general (aggregate) view.
In general, please read through the mail server logs yourself, and learn how those pieces fit together. In particular, find where several of the messages are arriving at your mail server. Reading and understanding the logs is key to running and particularly to troubleshooting a server. Follow the mail message IDs as the message goes through the various parts of the processing.
In the "Thank for your response! Here is the log" images, IMAP is not used to send out mail, so there won't be useful data in that log. The SMTP traffic shows some activity and a whole lot of relay reports, but I don't see any submissions there. (Console.app shows more data than what's in that view, too.)
In the same "Thank for your response! Here is the log" posting, there's a particular user shown in the mail access log that's being very frequently used in that section of the logs. That volume of messages might be normal traffic for that user, or the credentials for that user may have been breached. Knowing your mail traffic and also viewing more of the log data via Console.app should help you differentiate that.
In the "Hey!!!! I found something." image, that's a whole pile of login failures. That may have been a result of the password change.
Getting barrages of accesses from random IP addresses (whether 188.8.131.52 or otherwise) is normal, and may or may not be tied to the other issues you're seeing here.
I don't see a way to relay the messages from the postconf -n settings (not having an open relay is goodness), but I do see plaintext authentication and — if that's available from off your network — can result in the exposure of server login credentials. SSL/TLS should be used for submissions.
MadMacs0: installing a second ClamAV probably won't perturb the default installation within OS X Server, presuming the add-on package went into /usr/local and not elsewhere. If the add-on went into the OS X system directories, then all bets are off.