> On Apr 1, 2018, at 3:17 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> The time stamps were distinct for connect, TLS handshake, and
> disconnect. But it is possible that the poster omitted other handshake
> and diconnect records between the ones that were posted.
You're right, that sure looks logging in triplicate.
> Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from
> scan-7.security.ipip.net[106.186.113.132]
> Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from
> scan-7.security.ipip.net[106.186.113.132]
> Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from
> scan-7.security.ipip.net[106.186.113.132]
>
> Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection
> established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with
> cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection
> established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with
> cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection
> established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with
> cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
>
> Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT
> from scan-7.security.ipip.net[106.186.113.132]
> Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from
> scan-7.security.ipip.net[106.186.113.132]
> Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT
> from scan-7.security.ipip.net[106.186.113.132]
> Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from
> scan-7.security.ipip.net[106.186.113.132]
> Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT
> from scan-7.security.ipip.net[106.186.113.132]
> Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from
> scan-7.security.ipip.net[106.186.113.132
--
Viktor.
