Docker exim overlay network spam 25 port

spam connections to 25 port via local 10.255.0.3 port
FROM debian:jessie install exim4
Docker version 17.03.0-ce, build 60ccb22

Hello.

I have set up docker exim service as smarthost for php-fpm app.
relay was enabled for overlay network: dc_relay_nets=‘10.0.9.0/24’
But i have many cpam connections in exim log:

2017-03-21 09:04:04 H=(MY_SERVER_IP) [10.255.0.3] F=<yjupsgtc@mail2000_com_tw> rejected RCPT <like_cmy1314@yahoo_com_tw>: relay not permitted
2017-03-21 09:04:04 H=(MY_SERVER_IP) [10.255.0.3] F=<zgkdmpfg@yam_com> rejected RCPT <dream-true@yahoo_com_tw>: relay not permitted
2017-03-21 09:04:04 H=(MY_SERVER_IP) [10.255.0.3] F=<yjupsgtc@mail2000_com_tw> rejected RCPT <junior1976_168@yahoo_com_tw>: relay not permitted
2017-03-21 09:04:04 H=(MY_SERVER_IP) [10.255.0.3] F=<zgkdmpfg@yam_com> rejected RCPT <deep_vivi@yahoo_com_tw>: relay not permitted
2017-03-21 09:04:04 H=(MY_SERVER_IP) [10.255.0.3] F=<yjupsgtc@mail2000_com_tw> rejected RCPT <leo7708802001@yahoo_com_tw>: relay not permitted
2017-03-21 09:04:04 H=(MY_SERVER_IP) [10.255.0.3] F=<zgkdmpfg@yam_com> rejected RCPT <eiain@yahoo_com_tw>: relay not permitted

All connections via local 10.255.0.3 IP address via H=(MY_SERVER_IP).
Also, i don’t see any connections to 25 port on main server:

# netstat -an | grep 25 
tcp6       0      0 :::25                   :::*                    LISTEN     
unix  2      [ ACC ]     STREAM     LISTENING     11290774 /run/docker/libnetwork/738427efba66246a3a223d571729df5259bcdc1f92f6e9261f4fa13fc0d04096.sock
unix  3      [ ]         STREAM     CONNECTED     18725    
unix  3      [ ]         STREAM     CONNECTED     18625    /run/systemd/journal/stdout
unix  2      [ ]         DGRAM                    22595

network in exim container:

# ip  route show  all 
default via 172.19.0.1 dev eth1 
10.0.9.0/24 dev eth2  proto kernel  scope link  src 10.0.9.8 
10.255.0.0/16 dev eth0  proto kernel  scope link  src 10.255.0.6 
172.19.0.0/16 dev eth1  proto kernel  scope link  src 172.19.0.4

Can anyone help how to find the source IP of spam connections ?

(sorry for my English)