I have received an email from ISP that seems your IP is using this public IP as Abuse, I do not understand how to investigate this to find the source of the cause so I need bit help
postfix/smtpd[21723]: warning: unknown[X.X.X.X]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 26 10:51:59 shorelinedelivery
postfix/smtpd[21723]: disconnect from unknown[X.X.X.X] Apr 26
13:37:31 shorelinedelivery postfix/smtpd[25499]: connect from unknown[103.215.211.106] Apr 26 13:37:35 shorelinedelivery
postfix/smtpd[25499]: warning: unknown[X.X.X.X]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 26 13:37:35 shorelinedelivery
postfix/smtpd[25499]: disconnect from unknown[X.X.X.X] Apr 26
15:08:34 shorelinedelivery postfix/smtpd[27596]: connect from unknown[X.X.X.X] Apr 26 15:08:37 shorelinedelivery
postfix/smtpd[27596]: warning: unknown[X.X.X.X]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 26 15:08:37 shorelinedelivery
postfix/smtpd[27596]: disconnect from unknown[X.X.X.X] Apr 26
X.X.X.X is our IP. I don't see any abusiveness or something wrong here, I don't get the postfix part we don't have any postfix server here and this ip is our users internet IP not any server, people use outlook. I see the same problem with one of my server (word press installed) someone hacked into the server and added scripts to send spam emails. but I don't know how to read this log and investigate or what should I ask from ISP for more info.
Report from fail2ban
Reported-From: [email protected]
Report-Type: login-attack
User-Agent: vaniersel.net abuse report
Report-ID: [email protected]
Date: Thu, 26 Apr 2018 01:55:17 +0200
Source: X.X.X.X
Source-Type: ipv4
Destination: 94.x.x.x
Destination-Type: ipv4
Attachment: text/plain
Schema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json
Category: abuse
Service: smtp
Port: 25
To explain, the SASL authentication failed messages are from the remote server. It's saying that there's a process somewhere on, or behind, your IP address that is pounding that server trying to guess passwords, in order to send spam.
What you need to do is try to find the system behind your IP address that's performing the attack. If the hacked wordpress server is at, or behind, that IP address, that may have been it; do you have a test server in house? I notice that the date in that log snippet is April 26th, and this was posted on may 5th.
If all you have behind that IP address is users, then either your router was hacked and is being used as a proxy by the criminal, or one of your users' computers has been compromised. One thing to do is to block outgoing port 25 on the router firewall. That forces your users to use a more secure port for their mail clients. (Exchange, or SSL encrypted port 587 or 465 for standard SMTP)
If you aren't comfortable with doing that, please call around your area for an IT consultant that's familiar with that kind of security breach.