On Mon, Dec 30, 2019 at 11:32:11PM +0100, Gerben Wierda wrote:
> Now that Finally have a postfix back with actual logging, I noticed this in
> my log:
>
> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from
> [182.99.42.88]:49546 to [192.168.2.66]:25
> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from
> [182.99.42.88]:49546: EHLO ylmf-pc\r\n
> Dec 30 23:26:10 mail postfix/smtpd[16048]: connect from unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: lost connection after EHLO from
> unknown[182.99.42.88]
> Dec 30 23:26:10 mail postfix/smtpd[16048]: disconnect from
> unknown[182.99.42.88] ehlo=1 commands=1
Are the smtpd(8) connections on a different port? One might expect
postscreen to block clients that send EHLO before the greeting is
received.
> And then lots of this. It goes on and on and on.
Welcome to the Internet...
> I was wondering (just curious) what these (Chinese) types are actually
> trying to do. It looks like polling based on the expectation that some
> other payload has corrupted my postfix. But I’m curious to what it
> really is (if known).
It doesn't matter.
> (Time to set a pf rule set on geolocation, I guess)
I wouldn't bother, but since the host has no PTR record you can,
just in case, add:
reject_unknown_reverse_client_hostname
to your smtpd_client_restrictions.
--
Viktor.
