On 10/1/2012 at 3:35 PM Viktor Dukhovni wrote: |On Mon, Oct 01, 2012 at 11:05:59AM -0400, Mike. wrote: | |> I recently started seeing these log entries in the Postfix log and the |> firewall log. The sequence happens once a day, sometimes twice. Each |> time it appears to be a different client IP address. |> |> In summary, I see an aborted connection attempt to Postfix, then a |> short while later I see Postfix trying some outbound connections (which |> are blocked and logged by the firewall). | |They are not outbound connections. These are most likely re-transmissions |of the Postfix 220 banner, which was never acked by the connecting client. | |The firewall tears down the connection before the TCP stack stops |retrying. | |> Sep 28 03:21:22 oneou postfix/smtpd[91250]: connect from |> unknown[39.xxx.56.235] |> Sep 28 03:26:22 oneou postfix/smtpd[91250]: timeout after CONNECT from |> unknown[39.xxx.56.235] |> Sep 28 03:26:22 oneou postfix/smtpd[91250]: disconnect from |> unknown[39.xxx.56.235] |> Sep 28 03:27:12 oneou pf: rule 1/0(match): block out on fxp0: |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108 |> Sep 28 03:28:16 oneou pf: rule 1/0(match): block out on fxp0: |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108 |> Sep 28 03:29:20 oneou pf: rule 1/0(match): block out on fxp0: |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108 |> Sep 28 03:30:24 oneou pf: rule 1/0(match): block out on fxp0: |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108 |> Sep 28 03:31:28 oneou pf: rule 1/0(match): block out on fxp0: |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 20 | |-- | Viktor.
============= Thanks very much for the quick answer. That makes sense. btw, regarding my comment that "I recently started seeing these log entries" : I recently added a IPv6 tunnel to the server and I adjusted the firewall rules. One of the things I changed was the firewall now logs all blocked outbound connections. So this curiosity may have been occurring previously, I just did not see the firewall blocks because they were not logged. So all the symptoms fall into place now. Thanks again. Mike.
