- Immediately:
- Reset password
- Revoke active sessions
- Review sent mail
- Investigate:
- Check authentication logs
- Review mail forwarding rules
- Check for unauthorized aliases
- Prevent:
- Enable TFA
- Review password policy
- Educate user
- Identify source:
docker compose logs postfix-mailcow | grep "status=sent"
- Stop outbound mail (if severe):
docker compose stop postfix-mailcow
- Investigate:
- Check for compromised accounts
- Review relay configuration
- Check rate limiting