postfix

How to defeat Postfix and spammers from system accounts?

Good day to all, to be honest, we got a few of these letters with headers in the attachment:

Return-Path: <[email protected]_mx.domain>
Delivered-To: [email protected]
Received: by my_mx.domain (Postfix, from userid 997)
    id B6B155C115; Thu, 4 Oct 2018 11:07:34 +0300 (MSK)
To: [email protected]
Subject: =?UTF-8?B?0KHQvtC+0LHRidC10L3QuNC1IERhdmlkY3JpdmE=?=
X-PHP-Originating-Script: 997:mail.php
From: =?UTF-8?B?RGF2aWRjcml2YQ==?= <[email protected]>
Reply-To: =?UTF-8?B?ZmJ2YmZnZmcudmNkZ2VjZ2ZnLjA5QG1haWwucnU=?= <[email protected]>
X-Mailer: PHP/7.2.10

my.domain b my_mx.domain is the same car in fact, postfix serves two mail domains,
which means according to configs:

mail_owner = postfix
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, mail.$mydomain
unknown_local_recipient_reject_code = 550
mynetworks = my_ip/32, 127.0.0.0/8, [::1]/128
alias_maps = hash:/etc/postfix/aliases
alias_database = $alias_maps

mailbox_command = /usr/libexec/dovecot/deliver

debug_peer_level = 2
debugger_command =
   PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
   ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2
smtp_tls_exclude_ciphers = EXPORT, LOW

### VIRTUAL MAIL CONFIG PARAMS ###
relay_domains = *
virtual_alias_maps = hash:/etc/postfix/aliases
virtual_mailbox_domains = hash:/etc/postfix/domains
virtual_mailbox_maps = hash:/etc/postfix/mailboxes

virtual_mailbox_base = /var/vmail
virtual_minimum_uid = 2222
virtual_transport = dovecot
virtual_uid_maps = static:2222
virtual_gid_maps = static:2222

dovecot_destination_recipient_limit = 1

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes

smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/ssl/mailcerts/mail.key
smtpd_tls_cert_file = /etc/ssl/mailcerts/mail_chained.crt
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_protocols = $smtp_tls_protocols
tls_random_source = dev:/dev/urandom
tls_random_exchange_name = /var/lib/postfix/prng_exch
smtpd_tls_auth_only = yes
smtpd_helo_required = yes

# soft_bounce = yes
smtpd_recipient_restrictions =
  check_sender_access hash:/etc/postfix/sender_access, - тут два моих домена REJECT
  check_client_access hash:/etc/postfix/access, - пустой
  check_recipient_access hash:/etc/postfix/recipient_access, - пустой
  reject_invalid_hostname,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_unauth_pipelining,
  reject_unauth_destination,
  reject_rbl_client zombie.dnsbl.sorbs.net,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client multihop.dsbl.org,
  reject_rbl_client work.rsbs.express.ru,
  reject_rbl_client dnsbl.sorbs.net,
  reject_unknown_client,
  permit_sasl_authenticated,
  permit_mynetworks,
  permit

smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_map - тут мапки от какого мыла какой юзверь может слать письма, 2 записи по одной на каждый домен

smtpd_sender_restrictions =
  check_client_access hash:/etc/postfix/access, -пустой
  check_recipient_access hash:/etc/postfix/recipient_access, - пустой
  reject_unlisted_sender,
  reject_unverified_sender,
  reject_invalid_hostname,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_unlisted_sender,
  reject_unverified_sender,
#	reject_unauthenticated_sender_login_mismatch,
  reject_sender_login_mismatch,
  reject_unknown_sender_domain,

# Правило проверки соответствия ip и имени клиента
  reject_unknown_client_hostname,
  reject_unknown_sender_domain,
  reject_unknown_hostname,
  reject_rbl_client zombie.dnsbl.sorbs.net,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client multihop.dsbl.org,
  reject_rbl_client work.rsbs.express.ru,
  reject_rbl_client dnsbl.sorbs.net,
  reject_rhsbl_sender dsn.rfc-ignorant.org,
  permit_sasl_authenticated,
        permit_mynetworks,
  permit

smtpd_data_restrictions =
  reject_unauth_pipelining,
  reject_multi_recipient_bounce,
  permit


smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination

Here is my config, cut out the excess
In the logs such parsley:

Oct  4 11:07:34 www0001 postfix/pickup[26695]: B6B155C115: uid=997 from=<nginx>
Oct  4 11:07:34 www0001 postfix/cleanup[26719]: B6B155C115: message-id=<[email protected]_mx.domain>
Oct  4 11:07:34 www0001 opendkim[895]: B6B155C115: DKIM-Signature field added (s=default, d=sergeyvisman.ru)
Oct  4 11:07:34 www0001 postfix/qmgr[19110]: B6B155C115: from=<[email protected]_mx.domain>, size=974, nrcpt=1 (queue active)
Oct  4 11:07:34 www0001 dovecot: lda([email protected]): sieve: msgid=<[email protected]_mx.domain>: stored mail into mailbox 'INBOX'
Oct  4 11:07:34 www0001 postfix/pipe[26722]: B6B155C115: to=<[email protected]>, relay=dovecot, delay=0.1, delays=0.07/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct  4 11:07:34 www0001 postfix/qmgr[19110]: B6B155C115: removed