Need advice

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Need advice

Tommy Berglund
Hey!
Is there anything I need to change into my configuration of postfix?
I have in my mail.log file (family server) seen this now.
Parts of my mail.log file

Feb 28 23:54:57 server postfix/postscreen[5976]: CONNECT from
[81.30.158.145]:32970 to [192.168.2.8]:25
Feb 28 23:54:57 server postfix/postscreen[5976]: HANGUP after 0 from
[81.30.158.145]:32970 in tests before SMTP handshake
Feb 28 23:54:57 server postfix/postscreen[5976]: DISCONNECT
[81.30.158.145]:32970
Feb 28 23:54:58 server postfix/postscreen[5976]: CONNECT from
[81.30.158.145]:33238 to [192.168.2.8]:25
Feb 28 23:55:01 server postfix/postscreen[5976]: HANGUP after 2.1 from
[81.30.158.145]:33238 in tests before SMTP handshake
Feb 28 23:55:01 server postfix/postscreen[5976]: DISCONNECT
[81.30.158.145]:33238
--- snip ---

Mar  1 00:05:56 server postfix/postscreen[5976]: CONNECT from
[81.30.158.145]:31387 to [192.168.2.8]:25
Mar  1 00:05:58 server postfix/postscreen[5976]: HANGUP after 2 from
[81.30.158.145]:31387 in tests before SMTP handshake
Mar  1 00:05:58 server postfix/postscreen[5976]: DISCONNECT
[81.30.158.145]:31387
Mar  1 00:05:59 server postfix/postscreen[5976]: CONNECT from
[81.30.158.145]:31813 to [192.168.2.8]:25
Mar  1 00:06:05 server postfix/postscreen[5976]: PASS NEW
[81.30.158.145]:31813
Mar  1 00:06:06 server postfix/smtpd[6961]: warning: hostname
real-univers.com does not resolve to address 81.30.158.145: Name or
service not known
Mar  1 00:06:06 server postfix/smtpd[6961]: connect from
unknown[81.30.158.145]
Mar  1 00:06:16 server postfix/smtpd[6961]: lost connection after
CONNECT from unknown[81.30.158.145]
Mar  1 00:06:16 server postfix/smtpd[6961]: disconnect from
unknown[81.30.158.145]
Mar  1 00:06:17 server postfix/postscreen[5976]: CONNECT from
[81.30.158.145]:32871 to [192.168.2.8]:25
Mar  1 00:06:17 server postfix/postscreen[5976]: PASS OLD
[81.30.158.145]:32871
Mar  1 00:06:18 server postfix/smtpd[6961]: warning: hostname
real-univers.com does not resolve to address 81.30.158.145: Name or
service not known
Mar  1 00:06:18 server postfix/smtpd[6961]: connect from
unknown[81.30.158.145]
Mar  1 00:06:18 server postfix/smtpd[6961]: lost connection after EHLO
from unknown[81.30.158.145]
Mar  1 00:06:18 server postfix/smtpd[6961]: disconnect from
unknown[81.30.158.145]
--- snip ---

Mar  1 00:25:42 server postfix/smtpd[7063]: disconnect from
unknown[81.30.158.145]
Mar  1 00:25:42 server postfix/postscreen[5976]: CONNECT from
[81.30.158.145]:7654 to [192.168.2.8]:25
Mar  1 00:25:42 server postfix/postscreen[5976]: PASS OLD
[81.30.158.145]:7654
Mar  1 00:25:42 server postfix/smtpd[7063]: warning: hostname
real-univers.com does not resolve to address 81.30.158.145: Name or
service not known
Mar  1 00:25:42 server postfix/smtpd[7063]: connect from
unknown[81.30.158.145]
Mar  1 00:25:43 server postfix/smtpd[7063]: NOQUEUE: reject: RCPT from
unknown[81.30.158.145]: 554 5.7.1 <[hidden email]>: Relay access denied;
from=<[hidden email]> to=<[hidden email]> proto=SMTP
helo=<vps158145.domain>
Mar  1 00:25:43 server postfix/smtpd[7063]: lost connection after RCPT
from unknown[81.30.158.145]
Mar  1 00:25:43 server postfix/smtpd[7063]: disconnect from
unknown[81.30.158.145]

from here fail2ban blocking

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
milter_default_action = accept
mydestination = localhost
myhostname = exampel.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.spameatingmonkey.net*2
bl.spamcop.net dnsbl.sorbs.net swl.spamhaus.org*-4
list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
readme_directory = no
recipient_delimiter = +
relayhost = my.isp.com
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_milters = unix:/clamav/clamav-milter.ctl
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/dovecot/dovecot.pem
smtpd_tls_key_file = /etc/dovecot/private/dovecot.pem
smtpd_tls_protocols = !SSLv2
smtpd_use_tls = yes
virtual_alias_maps = sqlite:/etc/postfix/sqlite-virtual-alias-maps.cf
virtual_mailbox_domains =
sqlite:/etc/postfix/sqlite-virtual-mailbox-domains.cf
virtual_mailbox_maps = sqlite:/etc/postfix/sqlite-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

postconf -M
smtp       inet  n       -       -       -       1       postscreen
smtpd      pass  -       -       -       -       -       smtpd
dnsblog    unix  -       -       -       -       0       dnsblog
tlsproxy   unix  -       -       -       -       0       tlsproxy
pickup     fifo  n       -       -       60      1       pickup
cleanup    unix  n       -       -       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       -       1000?   1       tlsmgr
rewrite    unix  -       -       -       -       -       trivial-rewrite
bounce     unix  -       -       -       -       0       bounce
defer      unix  -       -       -       -       0       bounce
trace      unix  -       -       -       -       0       bounce
verify     unix  -       -       -       -       1       verify
flush      unix  n       -       -       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       -       -       -       smtp
relay      unix  -       -       -       -       -       smtp
showq      unix  n       -       -       -       -       showq
error      unix  -       -       -       -       -       error
retry      unix  -       -       -       -       -       error
discard    unix  -       -       -       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       -       -       -       lmtp
anvil      unix  -       -       -       -       1       anvil
scache     unix  -       -       -       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F
user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

//Tommy

Reply | Threaded
Open this post in threaded view
|

Re: Need advice

Wietse Venema
Tommy Berglund:
> Hey!
> Is there anything I need to change into my configuration of postfix?
> I have in my mail.log file (family server) seen this now.
> Parts of my mail.log file


> Feb 28 23:54:57 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:32970 to [192.168.2.8]:25
> Feb 28 23:54:57 server postfix/postscreen[5976]: HANGUP after 0 from
> [81.30.158.145]:32970 in tests before SMTP handshake
> Feb 28 23:54:57 server postfix/postscreen[5976]: DISCONNECT
> [81.30.158.145]:32970

This SMTP client hands up as soon as postscreen greets it.

> Feb 28 23:54:58 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:33238 to [192.168.2.8]:25
> Feb 28 23:55:01 server postfix/postscreen[5976]: HANGUP after 2.1 from
> [81.30.158.145]:33238 in tests before SMTP handshake
> Feb 28 23:55:01 server postfix/postscreen[5976]: DISCONNECT
> [81.30.158.145]:33238

Same SMTP client, now it hangs up after 2 seconds.

> Mar  1 00:05:56 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:31387 to [192.168.2.8]:25
> Mar  1 00:05:58 server postfix/postscreen[5976]: HANGUP after 2 from
> [81.30.158.145]:31387 in tests before SMTP handshake
> Mar  1 00:05:58 server postfix/postscreen[5976]: DISCONNECT
> [81.30.158.145]:31387

Again.

> Mar  1 00:05:59 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:31813 to [192.168.2.8]:25
> Mar  1 00:06:05 server postfix/postscreen[5976]: PASS NEW
> [81.30.158.145]:31813
> Mar  1 00:06:06 server postfix/smtpd[6961]: warning: hostname
> real-univers.com does not resolve to address 81.30.158.145: Name or
> service not known
> Mar  1 00:06:06 server postfix/smtpd[6961]: connect from
> unknown[81.30.158.145]
> Mar  1 00:06:16 server postfix/smtpd[6961]: lost connection after
> CONNECT from unknown[81.30.158.145]
> Mar  1 00:06:16 server postfix/smtpd[6961]: disconnect from
> unknown[81.30.158.145]

The client waits for the full 6-second postscreen greet wait, and
passes postscreen's tests. The IP address resolves to real-univers.com,
but the name real-univers.com does not exist (actually, the DNS
server replies for real-univers.com replies with SERVFAIL).

> Mar  1 00:06:17 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:32871 to [192.168.2.8]:25
> Mar  1 00:06:17 server postfix/postscreen[5976]: PASS OLD
> [81.30.158.145]:32871
> Mar  1 00:06:18 server postfix/smtpd[6961]: warning: hostname
> real-univers.com does not resolve to address 81.30.158.145: Name or
> service not known
> Mar  1 00:06:18 server postfix/smtpd[6961]: connect from
> unknown[81.30.158.145]
> Mar  1 00:06:18 server postfix/smtpd[6961]: lost connection after EHLO
> from unknown[81.30.158.145]
> Mar  1 00:06:18 server postfix/smtpd[6961]: disconnect from
> unknown[81.30.158.145]

The SMTP client collects the EHLO response with your SMTP server's
feature set.

> Mar  1 00:25:42 server postfix/smtpd[7063]: disconnect from
> unknown[81.30.158.145]
> Mar  1 00:25:42 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:7654 to [192.168.2.8]:25
> Mar  1 00:25:42 server postfix/postscreen[5976]: PASS OLD
> [81.30.158.145]:7654
> Mar  1 00:25:42 server postfix/smtpd[7063]: warning: hostname
> real-univers.com does not resolve to address 81.30.158.145: Name or
> service not known
> Mar  1 00:25:42 server postfix/smtpd[7063]: connect from
> unknown[81.30.158.145]
> Mar  1 00:25:43 server postfix/smtpd[7063]: NOQUEUE: reject: RCPT from
> unknown[81.30.158.145]: 554 5.7.1 <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=SMTP
> helo=<vps158145.domain>
> Mar  1 00:25:43 server postfix/smtpd[7063]: lost connection after RCPT
> from unknown[81.30.158.145]
> Mar  1 00:25:43 server postfix/smtpd[7063]: disconnect from
> unknown[81.30.158.145]

And now it has done an open relay test. The test failed as it should.

This could be intelligence collection (for evil or good). The client
IP address does not appear to be blacklisted.  It appears to be
near Frankfurt, Germany.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Need advice

Tommy Berglund
Den 2015-03-01 16:40, Wietse Venema skrev:

> Tommy Berglund:
>> Hey!
>> Is there anything I need to change into my configuration of postfix?
>> I have in my mail.log file (family server) seen this now.
>> Parts of my mail.log file
>
>
>> Feb 28 23:54:57 server postfix/postscreen[5976]: CONNECT from
>> [81.30.158.145]:32970 to [192.168.2.8]:25
>> Feb 28 23:54:57 server postfix/postscreen[5976]: HANGUP after 0 from
>> [81.30.158.145]:32970 in tests before SMTP handshake
>> Feb 28 23:54:57 server postfix/postscreen[5976]: DISCONNECT
>> [81.30.158.145]:32970
>
> This SMTP client hands up as soon as postscreen greets it.
>
>> Feb 28 23:54:58 server postfix/postscreen[5976]: CONNECT from
>> [81.30.158.145]:33238 to [192.168.2.8]:25
>> Feb 28 23:55:01 server postfix/postscreen[5976]: HANGUP after 2.1 from
>> [81.30.158.145]:33238 in tests before SMTP handshake
>> Feb 28 23:55:01 server postfix/postscreen[5976]: DISCONNECT
>> [81.30.158.145]:33238
>
> Same SMTP client, now it hangs up after 2 seconds.
>
>> Mar  1 00:05:56 server postfix/postscreen[5976]: CONNECT from
>> [81.30.158.145]:31387 to [192.168.2.8]:25
>> Mar  1 00:05:58 server postfix/postscreen[5976]: HANGUP after 2 from
>> [81.30.158.145]:31387 in tests before SMTP handshake
>> Mar  1 00:05:58 server postfix/postscreen[5976]: DISCONNECT
>> [81.30.158.145]:31387
>
> Again.
>
>> Mar  1 00:05:59 server postfix/postscreen[5976]: CONNECT from
>> [81.30.158.145]:31813 to [192.168.2.8]:25
>> Mar  1 00:06:05 server postfix/postscreen[5976]: PASS NEW
>> [81.30.158.145]:31813
>> Mar  1 00:06:06 server postfix/smtpd[6961]: warning: hostname
>> real-univers.com does not resolve to address 81.30.158.145: Name or
>> service not known
>> Mar  1 00:06:06 server postfix/smtpd[6961]: connect from
>> unknown[81.30.158.145]
>> Mar  1 00:06:16 server postfix/smtpd[6961]: lost connection after
>> CONNECT from unknown[81.30.158.145]
>> Mar  1 00:06:16 server postfix/smtpd[6961]: disconnect from
>> unknown[81.30.158.145]
>
> The client waits for the full 6-second postscreen greet wait, and
> passes postscreen's tests. The IP address resolves to real-univers.com,
> but the name real-univers.com does not exist (actually, the DNS
> server replies for real-univers.com replies with SERVFAIL).
>
>> Mar  1 00:06:17 server postfix/postscreen[5976]: CONNECT from
>> [81.30.158.145]:32871 to [192.168.2.8]:25
>> Mar  1 00:06:17 server postfix/postscreen[5976]: PASS OLD
>> [81.30.158.145]:32871
>> Mar  1 00:06:18 server postfix/smtpd[6961]: warning: hostname
>> real-univers.com does not resolve to address 81.30.158.145: Name or
>> service not known
>> Mar  1 00:06:18 server postfix/smtpd[6961]: connect from
>> unknown[81.30.158.145]
>> Mar  1 00:06:18 server postfix/smtpd[6961]: lost connection after EHLO
>> from unknown[81.30.158.145]
>> Mar  1 00:06:18 server postfix/smtpd[6961]: disconnect from
>> unknown[81.30.158.145]
>
> The SMTP client collects the EHLO response with your SMTP server's
> feature set.
>
>> Mar  1 00:25:42 server postfix/smtpd[7063]: disconnect from
>> unknown[81.30.158.145]
>> Mar  1 00:25:42 server postfix/postscreen[5976]: CONNECT from
>> [81.30.158.145]:7654 to [192.168.2.8]:25
>> Mar  1 00:25:42 server postfix/postscreen[5976]: PASS OLD
>> [81.30.158.145]:7654
>> Mar  1 00:25:42 server postfix/smtpd[7063]: warning: hostname
>> real-univers.com does not resolve to address 81.30.158.145: Name or
>> service not known
>> Mar  1 00:25:42 server postfix/smtpd[7063]: connect from
>> unknown[81.30.158.145]
>> Mar  1 00:25:43 server postfix/smtpd[7063]: NOQUEUE: reject: RCPT from
>> unknown[81.30.158.145]: 554 5.7.1 <[hidden email]>: Relay access denied;
>> from=<[hidden email]> to=<[hidden email]> proto=SMTP
>> helo=<vps158145.domain>
>> Mar  1 00:25:43 server postfix/smtpd[7063]: lost connection after RCPT
>> from unknown[81.30.158.145]
>> Mar  1 00:25:43 server postfix/smtpd[7063]: disconnect from
>> unknown[81.30.158.145]
>
> And now it has done an open relay test. The test failed as it should.
>
> This could be intelligence collection (for evil or good). The client
> IP address does not appear to be blacklisted.  It appears to be
> near Frankfurt, Germany.
>
> Wietse
>
Wietse thanks for the explanation of my maillog file.
If I understand it right, it's nothing that I need to worry about.

--

//Tommy