Indeed it's a postfix logwatch entry. Here's a grep of the IP address
from /var/log/maillog
triata postfix/smtpd[11490]: connect from unknown[218.30.101.41]
Oct 20 23:56:49 triata sqlgrey: grey: from awl match: updating
218.30.101.41(218.30.101.41),
[EMAIL PROTECTED]([EMAIL PROTECTED])
Oct 20 23:56:49 triata postfix/smtpd[11490]: 76BE9FD8041:
client=unknown[218.30.101.41], [EMAIL PROTECTED]
Oct 20 23:56:50 triata postfix/smtpd[11490]: disconnect from
unknown[218.30.101.41]
Oct 20 23:57:00 triata amavis[11434]: (11434-01) Passed CLEAN,
[218.30.101.41] [218.30.101.41] <[EMAIL PROTECTED]> ->
<[EMAIL PROTECTED]>, Message-ID:
<[EMAIL PROTECTED]>, mail_id: SULYJRvIb9wQ,
Hits: -0.479, size: 25777, queued_as: 3299FFD8047, 9828 ms
Noel Jones wrote:
Asai wrote:
Greetings,
In the server log files I got back this morning, I see in the records
this entry:
1 Unknown
1 Unknown
1 218.30.101.41 unknown
Normally this will give me an email address on top, the AUTH type
next, and the IP at the bottom with the reverse DNS there. I checked
the IP address and it's in China, so it's definitely not one of our
users. Can anyone tell me how to interpret this, and to plug any
holes which might be allowing this?
--
asai
This isn't a postfix log entry, and without context I can't tell what
you are looking at or what problem you are trying to solve. Maybe
this is just a failed AUTH attempt, which isn't terribly unusual.
Showing postfix logs of the incident you are investigating would be
most helpful.
http://www.postfix.org/DEBUG_README.html#mail
--
asai
