I think this problem is solved.
Thanks for the suggestions Joe. I didn't have any cron jobs, but the problem was in my /etc/hosts file.
Here are the details in case it helps someone looking at the same problem...
The problem was that the LogWatch application was periodically sending an email message to "root "(without any @domain) and my /etc/hosts files was incorrect. This was causing my server to send the LogWatch report out over the internet as an email to "email@example.com". My ISP relay (the mysterious 18.104.22.168 IP address) does not like receiving messages to "firstname.lastname@example.org" so it deferred the email.
These LogWatch emails were piling up in my "deferred" queue and postfix (SMTP server) would retry them occasionally -- and they would be deferred again. I could not see the IP 22.214.171.124 in my /var/log/message file because I do not log IP packets with state=established/related. The response from 126.96.36.199 was always state=established because my machine originated the transaction.
Here are some suggestions for others looking at a similar problem...
1) Check the mail queues. I use postfix for my SMTP server and the command "qshape deferred" will show you the number of email in the deferred queue (or any other queue).
2) I used "vim" to examine the emails that were in the deferred queue. The deferred email files were in the directories under "/var/spool/postfix/deferred". That's how I discovered that they were LogWatch reports. There is probably a better way to examine the contents of these emails in the deferred queue, but I don't know what it is.
3) When I examined the LogWatch config file, I saw that it was sending to "root", so I manually sent a report using the command "logwatch --mailto root" and I could see the error occur in the logs. If I typed "logwatch --mailto email@example.com
", then the error did not occur.
4) I poked around on the net under /etc/hosts and discovered that my file was incorrect. More specifically, I had my host machine names on the 127.0.0.1 line instead of on a subsquent line with the correct LAN IP addres.
5) I used the command "postsuper -d ALL deferred" to delete all the emailed in the deferred queue.
I still have a question...
How does LogWatch periodically send reports? I could not find a cron job for it and it doesn't appear to be a service. (I had not even heard of the LogWatch application until I discovered it in the deferred email.)