I'm going to leave this to the gurus. But here is what I know: I didn't check the port when I did the grep. I just searched for the 0/1 pattern. That said, I used my ipfw table to block port 25, and /var/log/security is getting hits on that rule.
The "normal" mail is going through, so I did no harm. Original Message From: Alex Sent: Saturday, October 1, 2016 10:13 AM To: postfix users list Subject: Re: Blocking "unknown" Hi, On Fri, Sep 30, 2016 at 8:08 PM, li...@lazygranch.com <li...@lazygranch.com> wrote: > On Fri, 30 Sep 2016 06:26:35 -0400 > Postfix User <postfix-u...@seibercom.net> wrote: > >> Postfix-3.2-20160917 with FreeBSD-11.0 /64 bit >> >> Lately, I have been finding the following entries in the maillog: >> >> 13643:Sep 30 02:00:40 scorpio postfix/smtpd[83056]: warning: hostname >> ip-address-pool-xxx.fpt.vn does not resolve to address 118.71.251.67: >> hostname nor servname provided, or not known 13822:Sep 30 02:00:40 >> scorpio postfix/smtpd[83056]: connect from unknown[118.71.251.67] >> 13904:Sep 30 02:00:41 scorpio postfix/smtpd[83056]: disconnect from >> unknown[118.71.251.67] helo=1 auth=0/1 quit=1 commands=2/3 > > This will pull these hackers off your maillog. > bzgrep -e auth=0/1 maillog* | sed 's/.*\[\([^]]*\)\].*/\1/g' >iplist > sort iplist | uniq I actually don't have any matches involving even "auth=0/1". Is it from submission running on 25 that causes this? That actually sounds like a really good idea. Can you recommend a master.cf submission setting that would never succeed, to prevent someone from actually connecting successfully? Maybe we should be doing the same with pop/imap using courier or dovecot? > I'm going to wait a bit regarding automatically rejecting these > attempts per the method listed in the rest of the thread, but I'd like > to hear a follow up. Have you thought about just creating a fail2ban rule for these attempts, and blocking them just as they happen? This has the benefit of periodically letting them expire. Can you think of a legitimate reason why a valid mail server would try to connect when there are no valid local users? Thanks, Alex
