Spam email complaint

[lighto]

Hello, I have a droplet hosted on DigitalOcean and received a ticket with a complaint saying my server ip was blocked for sending spam email.

I justed checked the postfix logs and they are over 6 GB in size. 
I think someone exploited a flaw or some configuration error on the postfix server, because I changed all the email passwords to very secure ones and I still see spam emails being sent on the server.

Here are some parts of the logs:

Apr 30 10:49:09 zentora postfix/smtp[10637]: 9F7B2126826: to=<bobreisner@earthlink.net>, relay=mx1.earthlink.net[209.86.93.226]:25, delay=236801, delays=234764/2037/0.29/0.02, dsn=4.0.0, status=SOFTBOUNCE (host mx1.earthlink.net[209.86.93.226] said: 550 IP xx.xx.xx.xx is blocked by EarthLink. Go to earthlink.net/block for details. (in reply to MAIL FROM command))

Apr 30 10:48:49 zentora postfix/smtp[10286]: 93E7F12FB8C: to=<amandawg@ara.seed.net.tw>, relay=mx.seed.net.tw[139.175.54.239]:25, delay=214822, delays=212804/2016/1.4/0.45, dsn=4.0.0, status=SOFTBOUNCE (host mx.seed.net.tw[139.175.54.239] said: 550 unknown user (in reply to RCPT TO command))

Apr 30 10:48:49 zentora postfix/qmgr[3435]: 6B41513E98B: from=<sec@mydomain.com>, size=4895, nrcpt=1 (queue active)

Is there maybe a security bug built in Sentora? Is there a way I can secure my server to stop this spam complaints? If you need access to the server or the logs I can give you access.

Thank you

[Me.B]

Seem you ip is now blacklisted.

Check if you have wordpress or such CMS that will likely have flaws that got the spam bot inside. Clean your server and then delist your ip and keep an eye over it.

M B

[lighto]

Seem you ip is now blacklisted.

Check if you have wordpress or such CMS that will likely have flaws that got the spam bot inside. Clean your server and then delist your ip and keep an eye over it.

M B

Thank you M B for your answer.

I have a custom cms built inside, I will clean the server and will let you know. 

Quick question, I can see all the emails are being sent from the same email address. I have deleted that email address but emails are still being sent using that email address... Maybe the server is compromised?

[lighto]

I have cleaned the server, and the spam email are still being sent.
I disabled the relay sending in postfix and as soon as I start the postfix service the emails start sending like crazy

[stra2017]

Hi. Try updating your /etc/postfix/main.cf and comment out soft_bounce=yes (the Postfix default is no). I had the same "status=SOFTBOUNCE" in my logs for emails that should have otherwise failed (unknown email addresses, etc.) However these were being retried every 70 mins. After changing the above option I started getting the expected Undeliverable emails in the mailbox that sent the email. This was on a fresh Sentora install on a Centos 7 minimal image.
The soft_bounce=yes config appears to come from Sentora - a fresh Linode Centos 7 install has a different /etc/postfix/main.cf, installing Sentora seems to replace this (and understandably so, just not the soft_bounce value).
The references that ultimately helped me: http://postfix.1071664.n5.nabble.com/sta...d9035.html and the linked ref: http://www.postfix.org/postconf.5.html#soft_bounce