A postfix server I run for several years now is suddenly seeming to act like an open relay, but I can't figure out how?

Here's a listing of main.cf from postconf -nf. I have excised identifying info. I will note that every time this has started up, I've successfully stopped it by first adding the putting the sending email address into a list for REJECTED sender access (check_sender_access), but also by using iptables to drop what I believe to be the sending ip. But whoever's doing it shouldn't be able to use my server anyhow. Is there something below that provides a clue?
Thanks!


alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_level = 2
debugger_command = PATH=/usr/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m
"${EXTENSION}"
mailbox_size_limit = 10737418240
mailq_path = /usr/bin/mailq.postfix
message_size_limit = 10737418240
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = [excised].com
myhostname = [excised].com
mynetworks = [excised]
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_domains = $mydomain, [excised],
$mydestination, $virtual_alias_maps
setgid_group = postdrop
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
smtpd_recipient_limit = 200000000
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/sender_access, permit_mynetworks, check_client_access
hash:/etc/postfix/blacklist_malware_patrol, check_client_access
cidr:/etc/postfix/client_checks, reject_unauth_pipelining,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_destination,
check_policy_service inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, hash:/etc/postfix/access
smtpd_tls_CAfile = /etc/ssl/certs/smtp. [excised].crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/server.pem
smtpd_tls_key_file = /etc/ssl/private/domain.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual