On Sun, Oct 29, 2017 at 07:28:24AM +0000, MRob wrote: > Lately it looks like some zombie bot farm is connecting to > submission (and looks to do nothing except connect), causing many > of these in the logs: > > Oct 28 06:15:35 mail postfix/smtpd[12941]: warning: hostname > x.y.z does not resolve to address 11.22.33.44: Name or service > not known
BTW there is absolutely no need to mung such logs. Who are you trying to protect? Also, if this is in fact on submission, why is there no " -o syslog_name=postfix/submission" override to help distinguish submission from smtp? > For submission service where clients often connect from dynamic IP > address ranges, maybe seeing these is not important - just noise, > so I am curious about why postfix is logging this. Does this mean > client is somehow attempting to send before (without) doing any > AUTH? I tested by hand and MAIL FROM result is "530 5.7.0 Must > issue a STARTTLS command first". I found that I neglected to > override smtpd_sender_restrictions in the submission service, but > it shouldn't matter if the client cant AUTH, right? > > Or is it default postfix behavior and I can ignore these logs? TL;DR yes, ignore these. Postfix smtpd(8) by default looks up the PTR for every connecting client address, and then tries to validate that PTR with an A/AAAA lookup of the hostname value. Your example failed in validation; "x.y.z./IN/A" (or AAAA) lookup had an error. You can disable these reverse DNS lookups, and specifically only for submission, but that's probably not desirable, because then every Received: header in submission would show "unknown[ip.add.re.ss]". The reason for logging is that Postfix logs every error condition. The same smtpd code which listens on submission is also listening on port 25, and there, wonky lookup results are likely to indicate a problem of some kind. Best bet is to just leave the defaults in place and perhaps do filtering when reading logs, to avoid the entries you do not care/need to see. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
