so are there any configurations to auto ban this kind of visit, like postfix postscreen?
or, I should write firewall rules to do the job? ---- On 星期一, 14 十一月 2016 19:23:53 -0800Sean Greenslade <s...@seangreenslade.com> wrote ---- On Mon, Nov 14, 2016 at 06:39:08PM -0800, vod vos wrote: > Hi, > > > > when I read the mail.log, I found: > > > > > > Nov 14 14:45:45 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=&lt;WEd2MD1B/Mdgfm8m&gt; > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=&lt;H42OMD1BZslgfm8m&gt; > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() failed: Unknown error, session=&lt;rQ6QMD1BxMpgfm8m&gt; > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > > > > Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() failed: Unknown error, session=&lt;3DqTMD1BKstgfm8m&gt; > > > > Nov 14 14:45:49 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS, session=&lt;CCqyMD1BdMtgfm8m&gt; > > > > Was the Dovecot working well? > > Are there any good solutions to forbid this kind of behavior to enhance the mail server? Do you know whether these were actual login attempts? Because these look like typical port scans that you'll see from time to time. According to this site, that's an IP that's known for port scanning: https://www.abuseipdb.com/check/96.126.111.38 I wouldn't worry too much about them. --Sean
