Postfix Postfix Users

Postfix: Variable meanings table

classic Classic list List threaded Threaded
5 messages Options
manu19
Reply | Threaded
Open this post in threaded view
|

Postfix: Variable meanings table

manu19
Can someone tell me how I can get the meaning of these variables
(ehlo..commands) in the postfix log?
i.e:
1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 mail=1
rcpt=1 data=1 quit=1 commands=7
2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 mail=1
rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Thank you very much!!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Enrico Morelli
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Enrico Morelli
On Fri, 9 Aug 2019 03:32:20 -0700 (MST)
manu19 <[hidden email]> wrote:

> Can someone tell me how I can get the meaning of these variables
> (ehlo..commands) in the postfix log?
> i.e:
> 1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1
> mail=1 rcpt=1 data=1 quit=1 commands=7
> 2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1
> mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
>
> Thank you very much!!
>
>
>
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

https://www.samlogic.net/articles/smtp-commands-reference.htm

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Wietse Venema
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Wietse Venema
In reply to this post by manu19
manu19:
> Can someone tell me how I can get the meaning of these variables
> (ehlo..commands) in the postfix log?
> i.e:
> 1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 mail=1
> rcpt=1 data=1 quit=1 commands=7
> 2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 mail=1
> rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

foo=x/y means that the client sent the 'foo' command 'y' times, and
that Postfix accepted 'x' of those conmmands. When 'x' and 'y' are
the same, Postfix shows only one.

These statistics make problems easy to diagnose. The command

    $ grep auth=./ /var/log/maillog

will show spambots attempts to log in. Here is a typical result:

Aug  1 11:24:35 spike postfix/smtpd[26284]: disconnect from unknown[122.246.158.54] ehlo=1 auth=0/1 commands=1/2

        Wietse
manu19
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

manu19
Thanks for the explanation, it has been very instructive.
Regards.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Dominic Raferd
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Dominic Raferd
I have a fail2ban ban - quite active - based on this:

failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\] (ehlo|helo)=\d+ .*auth=0/\d

See also http://www.postfix.org/announcements/postfix-3.0.0.html.
(I whitelist a few ips that are our own, or known to run auth tests).

Free forum by Nabble Edit this page