On Tue, Sep 07, 2021 at 07:42:33PM +0100, Adam Weremczuk wrote:
> It's postfix 3.1.6-0+deb9u1 on Debian 9.
>
> Since enabling STARTTLS on port 25 I'm getting lots of traffic looking
> like this (relay attempts?):
>
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: connect from
> unknown[77.247.110.240]
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: setting up TLS connection
> from unknown[77.247.110.240]
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: unknown[77.247.110.240]: TLS
> cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: unknown[77.247.110.240]:
> Issuing session ticket, key expiration: 1630916885
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: Anonymous TLS connection
> established from unknown[77.247.110.240]: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Your TLS log level is too verbose. The recommended TLS log level for
normal operation is "1", levels "2" and higher are for short-term
diagnostic use only, and only if there's good reason to expect this
to be useful, and just drown the most relevant details in noise.
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: lost connection after AUTH
> from unknown[77.247.110.240]
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: disconnect from
> unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4
> grep 77.247.110.240 /var/log/mail.log | wc -l
> 16735
Not enough to matter, less than one per second.
> It's a different IP(s) every day so banning them manually is not going
> to work well.
inetnum: 77.247.110.0 - 77.247.110.255
netname: PEENQ-NL-TLN-VPS-01
country: NL
geoloc: 52.370216 4.895168
admin-c: PA10298-RIPE
tech-c: PA10298-RIPE
org: ORG-PNQ1-RIPE
status: ASSIGNED PA
mnt-by: MNT-PEENQ
created: 2019-03-01T16:28:00Z
last-modified: 2021-02-05T10:53:28Z
source: RIPE
organisation: ORG-PNQ1-RIPE
org-name: PEENQ.NL
org-type: OTHER
address: Netherlands
You could try reaching out to the network provider, web site says:
info (at) peenq (dot) nl
--
VIktor.
