As @danb35 wrote before
as default setting, Nethserver do not act as SMTP relay for no one, except the users of the server
Also, i am assuming that your server is acting as email and webmail server. No websites of any kind.
A little checklist for “sanitize” the situation. Do not consiter it complete.
- If not already, enforce secure password policy ( Password policies, Strong password policy for Users)
- Change root password and if possible any of other administrative users (by NethServer perspective)
- Keep note the new password and of everything you are going to change from the next sections
- Check “Trusted Network” and remove any public subnet or address who should not be here
- Into “Email”, tab SMTP Access, ensure the list “Allow relay from IP addresses” is empty or only with ip addresses you choose to relay and uncheck the “advanced options” both for relay for trusted network and authentication on port 25.
- Edit: Into Email, tab Mailboxes, uncheck “Allow unencrypted connections” if enable.
- If not installed or enable, install or activate rSpamd
If all these settings are as described, i have to assume that someone found a password of one of your users, or one of your system into “Allow relay from IP addresses” list is compromised.
So pick one: remove entries from “Allow relay from IP addresses” or change all the users password.
Also: i am a Linux total n00b, there’s should be a way from shell to list all the ip addresses that are connected to a port or a service, but i don’t know which is.
And if the Fortigate is correctly configured and allows SMTP connections to internet only from NethServer, a computer into the lan could be coulprit for sending spam via nethserver using cached username and password into mail client or browser.
Summoning @support_team for more suggestions