This is an obvious one really but I recently spotted quite a few attempts by spammers to send bank-related messages through one of our boxes:
server user # netstat -tulpn | grep 25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1417/master server user # nano /etc/postfix/main.cf
Locate the line with "inet_interfaces" and change the line to include 127.0.0.1
server user # /etc/init.d/postfix restart * Stopping postfix (/etc/postfix) ... [ ok ] * Starting postfix (/etc/postfix) ... [ ok ] server user # netstat -tulpn | grep 25 tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1627/master
At this stage it shows that listening address is now only localhost. You can double check what's happening by checking various logs like:
tail -f /var/log/messages
Also note though, any PHP script sending mail would be classified as "local" so you really need to check any scripts for injection vulnerabilities.