On Mon, Oct 01, 2012 at 11:05:59AM -0400, Mike. wrote:
> I recently started seeing these log entries in the Postfix log and the
> firewall log. The sequence happens once a day, sometimes twice. Each
> time it appears to be a different client IP address.
>
> In summary, I see an aborted connection attempt to Postfix, then a
> short while later I see Postfix trying some outbound connections (which
> are blocked and logged by the firewall).
They are not outbound connections. These are most likely re-transmissions
of the Postfix 220 banner, which was never acked by the connecting client.
The firewall tears down the connection before the TCP stack stops
retrying.
> Sep 28 03:21:22 oneou postfix/smtpd[91250]: connect from
> unknown[39.xxx.56.235]
> Sep 28 03:26:22 oneou postfix/smtpd[91250]: timeout after CONNECT from
> unknown[39.xxx.56.235]
> Sep 28 03:26:22 oneou postfix/smtpd[91250]: disconnect from
> unknown[39.xxx.56.235]
> Sep 28 03:27:12 oneou pf: rule 1/0(match): block out on fxp0:
> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
> Sep 28 03:28:16 oneou pf: rule 1/0(match): block out on fxp0:
> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
> Sep 28 03:29:20 oneou pf: rule 1/0(match): block out on fxp0:
> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
> Sep 28 03:30:24 oneou pf: rule 1/0(match): block out on fxp0:
> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
> Sep 28 03:31:28 oneou pf: rule 1/0(match): block out on fxp0:
> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 20
--
Viktor.
