On 04.03.22 09:18, Nikolaos Milas wrote:
I sometimes find abnormal continuous connects/disconnects which delay
normal mail deliveries.
Here is an example:
Mar 3 10:06:42 vmail2 postfix/smtpd[22733]: connect from unknown[45.148.10.243]
Mar 3 10:06:43 vmail2 postfix/smtpd[22733]: lost connection after AUTH from
unknown[45.148.10.243]
Mar 3 10:06:43 vmail2 postfix/smtpd[22733]: disconnect from
unknown[45.148.10.243] ehlo=1 auth=0/1 commands=1/2
Mar 3 10:06:43 vmail2 postfix/smtpd[22730]: warning: hostname
edc45.app-autht.com does not resolve to address 45.148.10.243: Name or service
not known
Mar 3 10:06:43 vmail2 postfix/smtpd[22730]: connect from unknown[45.148.10.243]
Mar 3 10:06:43 vmail2 postfix/smtpd[22730]: lost connection after AUTH from
unknown[45.148.10.243]
Mar 3 10:06:43 vmail2 postfix/smtpd[22730]: disconnect from
unknown[45.148.10.243] ehlo=1 auth=0/1 commands=1/2
Mar 3 10:06:44 vmail2 postfix/smtpd[22852]: warning: hostname
edc45.app-autht.com does not resolve to address 45.148.10.243: Name or service
not known
Mar 3 10:06:44 vmail2 postfix/smtpd[22852]: connect from unknown[45.148.10.243]
Mar 3 10:06:44 vmail2 postfix/smtpd[22852]: lost connection after AUTH from
unknown[45.148.10.243]
Mar 3 10:06:44 vmail2 postfix/smtpd[22852]: disconnect from
unknown[45.148.10.243] ehlo=1 auth=0/1 commands=1/2
[...]
Would it be legitimate to ban such servers using fail2ban based on:
lost connection after AUTH
i.e. when there are multiple such entries within few seconds or
minutes associated with particular servers?
legitimate, I do that on many servers.
Any other suggestions for dealing with the problem?
Note: This is an internal server (with user mailboxes, also used as
our SMTP server for outgoing mail), not accepting incoming mail
directly but from two mail gateway servers - also running postfix - so
we are not running postscreen on it. Would you suggest running
postscreen too?
in such case postscreen should not be needed, BUT, it seems that connection
from the outside are allowed in which case postscreen makes sense.
Other solution would of course be disabling SMTP connections from the world.
Would postscreen help in a situation like the above,
if the remote server is in some RBL?
yes.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
