Postfix: Variable meanings table

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix: Variable meanings table

manu19
Can someone tell me how I can get the meaning of these variables
(ehlo..commands) in the postfix log?
i.e:
1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 mail=1
rcpt=1 data=1 quit=1 commands=7
2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 mail=1
rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Thank you very much!!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Enrico Morelli
On Fri, 9 Aug 2019 03:32:20 -0700 (MST)
manu19 <[hidden email]> wrote:

> Can someone tell me how I can get the meaning of these variables
> (ehlo..commands) in the postfix log?
> i.e:
> 1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1
> mail=1 rcpt=1 data=1 quit=1 commands=7
> 2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1
> mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
>
> Thank you very much!!
>
>
>
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

https://www.samlogic.net/articles/smtp-commands-reference.htm

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Wietse Venema
In reply to this post by manu19
manu19:
> Can someone tell me how I can get the meaning of these variables
> (ehlo..commands) in the postfix log?
> i.e:
> 1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 mail=1
> rcpt=1 data=1 quit=1 commands=7
> 2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 mail=1
> rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

foo=x/y means that the client sent the 'foo' command 'y' times, and
that Postfix accepted 'x' of those conmmands. When 'x' and 'y' are
the same, Postfix shows only one.

These statistics make problems easy to diagnose. The command

    $ grep auth=./ /var/log/maillog

will show spambots attempts to log in. Here is a typical result:

Aug  1 11:24:35 spike postfix/smtpd[26284]: disconnect from unknown[122.246.158.54] ehlo=1 auth=0/1 commands=1/2

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

manu19
Thanks for the explanation, it has been very instructive.
Regards.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Dominic Raferd
I have a fail2ban ban - quite active - based on this:

failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\] (ehlo|helo)=\d+ .*auth=0/\d

(I whitelist a few ips that are our own, or known to run auth tests).

Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Phil Stracchino
On 8/10/19 2:17 AM, Dominic Raferd wrote:
> I have a fail2ban ban - quite active - based on this:
>
> failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\]
> (ehlo|helo)=\d+ .*auth=0/\d
>
> See also http://www.postfix.org/announcements/postfix-3.0.0.html.
> (I whitelist a few ips that are our own, or known to run auth tests).


Since you mention fail2ban, I've recently installed fail2ban on my mail
server with the intention of setting it up to detect brute-force login
attempts on the SMTP port and *remotely tell my firewall* to block the
offending IPs.  But studying the fail2ban documentation I've so far
found, I cannot for the life of me figure out how to do this, though I
am assured by others that it is perfectly possible and should be
straightforwasrd to do.

Can anyone by chance point me to any documentation that explains how to
do this?


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Dominic Raferd


On Fri, 6 Sep 2019 at 16:31, Phil Stracchino <[hidden email]> wrote:
On 8/10/19 2:17 AM, Dominic Raferd wrote:
> I have a fail2ban ban - quite active - based on this:
>
> failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\]
> (ehlo|helo)=\d+ .*auth=0/\d
>
> See also http://www.postfix.org/announcements/postfix-3.0.0.html.
> (I whitelist a few ips that are our own, or known to run auth tests).


Since you mention fail2ban, I've recently installed fail2ban on my mail
server with the intention of setting it up to detect brute-force login
attempts on the SMTP port and *remotely tell my firewall* to block the
offending IPs.  But studying the fail2ban documentation I've so far
found, I cannot for the life of me figure out how to do this, though I
am assured by others that it is perfectly possible and should be
straightforwasrd to do.

Can anyone by chance point me to any documentation that explains how to
do this?

For the general approach, see (for instance) the custom action section at
https://darrynvt.wordpress.com/tag/custom-fail2ban-actions/

Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

@lbutlr
In reply to this post by Phil Stracchino
On 6 Sep 2019, at 09:30, Phil Stracchino <[hidden email]> wrote:
> Can anyone by chance point me to any documentation that explains how to do this?

Not off hand, but what you are looking for on google is:

fail2ban "action.d”

(the quotes will force google to return results with action.d)

In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now).


--
Let the Wookiee win.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

Phil Stracchino
On 9/6/19 2:03 PM, @lbutlr wrote:

> On 6 Sep 2019, at 09:30, Phil Stracchino <[hidden email]> wrote:
>> Can anyone by chance point me to any documentation that explains how to do this?
>
> Not off hand, but what you are looking for on google is:
>
> fail2ban "action.d”
>
> (the quotes will force google to return results with action.d)
>
> In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now).


Yeah, I've already had a browse through that, but it appears to me that
all of the prewritten actions assume you're talking to a *local*
firewall, and I don't know enough about fail2ban yet to feel confident
modifying it without something to work from.

I was *about to say* that every single document I've so far found seems
to assume a local firewall, but I just now stumbled across one with a
remote-firewall example that I think I can work with.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Postfix: Variable meanings table

B. Reino
On 06/09/2019 20.25, Phil Stracchino wrote:

> On 9/6/19 2:03 PM, @lbutlr wrote:
> > On 6 Sep 2019, at 09:30, Phil Stracchino <[hidden email]> wrote:
> >> Can anyone by chance point me to any documentation that explains how to do this?
> >
> > Not off hand, but what you are looking for on google is:
> >
> > fail2ban "action.d”
> >
> > (the quotes will force google to return results with action.d)
> >
> > In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now).
>
>
> Yeah, I've already had a browse through that, but it appears to me that
> all of the prewritten actions assume you're talking to a *local*
> firewall, and I don't know enough about fail2ban yet to feel confident
> modifying it without something to work from.
>
> I was *about to say* that every single document I've so far found seems
> to assume a local firewall, but I just now stumbled across one with a
> remote-firewall example that I think I can work with.

I use a custom script (/usr/local/sbin/fail2ban_action.sh) to block a
given IP, from which I call nft to add the IP to a set,
by calling "nft $1 element inet filter fail2ban { $2 }" (where $1 is add
or delete and $2 is the IP).

If you want that action to happen on a remote system you could just
prepend "ssh <firewall>" to the command
(assuming that your local root can login as root to the firewall system
without user interaction..)

For reference, here is my /etc/fail2ban/action.d/local_block.conf:
[Definition]
actionban   = /usr/local/sbin/fail2ban_action.sh add <ip>
actionunban = /usr/local/sbin/fail2ban_action.sh delete <ip>
actioncheck =
actionstart =
actionstop =

[Init]

where in /etc/fail2ban/jail.local I have
..
banaction = local_block
..

Hope that helps!