On Wed, Mar 13, 2019 at 02:40:41PM -0300, Edouard Guigné wrote:
> Today there are lots of ip banned for postfix... much more than
> usually... (see my log.txt)
There is no evidence of brute-force SASL attacks in the logs.
> Otherwise in logs, there are many entries as this one :
>
> *postfix/smtpd[32347]: warning: TLS library problem:
> 32347:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:293:*
> I desactivate support for SSL3 in postfix configuration... Does it rely to ?
These happen from time to time. If you're getting the email you
expect, these can be ignored.
> 2bounce_notice_recipient = postmaster
> ...
[ Please post "postconf -n" output, not "postconf" ]
> smtp_tls_mandatory_protocols = TLSv1
This is a bad idea, instead: "!SSLv2, !SSLv3". This should work
even with your 11-year old Postfix 2.5, though frankly an upgrade
is long overdue.
> smtpd_tls_mandatory_protocols = TLSv1
Change to: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> Mar 13 14:14:20 postfix/smtpd[31593]: warning: restriction
> `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Fix this. If you don't enable SASL, don't use restrictions that
require SASL.
--
Viktor.
