On 8/11/2010 6:54 AM, Stan Hoeppner wrote:
Noel Jones put forth on 8/11/2010 6:20 AM:
This is logged when the client disconnected in the middle of the
transaction -- postfix lost the connection -- NOT a reject.
You won't find reject log entries for the lost connections after EHLO or
CONNECT, although the ones for RCPT and DATA *might* be proceeded by
rejects.
This can be confusing because typically most of the lost connections are
zombies/bots that you would reject anyway.
Are you sure about that Noel?
Absolutely.
Aug 8 13:22:49 greer postfix/smtpd[14798]: connect from
59-126-95-178.pool.ukrtel.net[178.95.126.59]
Aug 8 13:22:50 greer postfix/smtpd[14798]: NOQUEUE: reject: RCPT from
59-126-95-178.pool.ukrtel.net[178.95.126.59]: 554 5.7.1
<59-126-95-178.pool.ukrtel.net[178.95.126.59]>: Client host rejected: Generic
- Please relay via ISP (ukrtel.net); from=<i...@hardwarefreak.com>
to=<i...@hardwarefreak.com> proto=SMTP helo=<59-126-95-178.pool.ukrtel.net>
Aug 8 13:22:50 greer postfix/smtpd[14798]: lost connection after RCPT from
59-126-95-178.pool.ukrtel.net[178.95.126.59]
Aug 8 13:22:50 greer postfix/smtpd[14798]: disconnect from
59-126-95-178.pool.ukrtel.net[178.95.126.59]
This example clearly shows the disconnect at RCPT was due to a rejection.
This example was in my previous list.
Don't confuse "disconnect from" with "lost connection". The
disconnect is always logged; lost connection is logged when
the client drops the connection in the middle of the conversation.
This entry shows the client dropped the connection after you
sent a reject. Many, but not all, spambots seem to do that.
And how about this one?
Aug 10 23:02:46 greer postfix/smtpd[30689]: connect from unknown[113.91.134.58]
Aug 10 23:02:47 greer postfix/smtpd[30689]: NOQUEUE: reject: RCPT from
unknown[113.91.134.58]: 554 5.7.1<unknown[113.91.134.58]>: Client host
rejected: Mail not accepted from China; from=<thei...@robertharding.com>
to=<s...@hardwarefreak.com> proto=ESMTP helo=<QOYCLTMTN>
Aug 10 23:02:48 greer postfix/smtpd[30689]: lost connection after DATA (0
bytes) from unknown[113.91.134.58]
Aug 10 23:02:48 greer postfix/smtpd[30689]: disconnect from
unknown[113.91.134.58]
Again, the disconnection was due to rejection. This one was also in my
previous example. In fact, every one of my rejections shows a disconnect
stamp pretty much identical to those which are simply clients prematurely
disconnecting for whatever reason.
Here the client sent the DATA command before it dropped the
connection. It dropped the connection because it's a spambot
and you rejected the recipient.
This leads me to believe the SMTP stage of disconnection is logged for all
disconnects, including those due to rejections.
When the client drops the connection in the middle of a
transaction the stage is logged. Normal clients don't drop
the connection after a reject, but spambots often do.
You can see this for yourself in your logs; not every reject
is followed by a "lost connection" message, not every lost
connection is proceeded by a reject.
I expect most of the lost connection after RCPT or DATA are
proceeded by a reject simply because most of these are
spambots. But one does not equal the other.
Don't confuse "disconnect" with "lost connection". A
disconnect message is always logged at the end of the
conversation when the client disconnects. A lost connection
is logged when postfix is still trying to talk to the client
but the client dropped the connection early.
I guess we'll find out when
Wietse jumps in to educate us on this.
This has been discussed before. Search the archives.
-- Noel Jones
