Loading ...
Sorry, an error occurred while loading the content.

289180Re: /var/log/mail.info

Expand Messages
  • Ralf Hildebrandt
    Nov 1, 2012
    • 0 Attachment
      * thorsopia@... <thorsopia@...>:
      > Hi,
      >
      > I'm getting the following connections from suspicious IPs.
      >
      > $ sudo more /var/log/mail.info
      >
      > <DATE> <MACHINE> postfix/smtpd[PID]: connect from unknown[IP]
      > <DATE> <MACHINE> postfix/smtpd[PID]: lost connection after UNKNOWN from
      > unknown[IP]
      > <DATE> <MACHINE> postfix/smtpd[PID]: disconnect from unknown[IP]
      >
      > What's going on here?

      That could be anything, probably a portscan from IP.

      > smtp_client_restrictions = reject_unknown_reverse_client_hostname
      >
      > Is it enough? Should I configure "fail2ban" to reject these?

      No, there was no transaction at all.

      > I also have these entries in the same log file:
      >
      > <DATE> <MACHINE> postfix/pickup[PID]: ... from=<root> ...
      > <DATE> <MACHINE> postfix/cleanup[PID]: ... from=<root@<mydomain>> ...
      > <DATE> <MACHINE> postfix/qmgr[PID]: ... from=<root@<mydomain>> ...
      > <DATE> <MACHINE> postfix/local[PID]: ... to=<root@<mydomain>> ...
      >
      > Why does it use root? AFAICT, there should be a different value. Is
      > this a placeholder/default value?

      That was probably a mail from root (e.g. output from a cron job)

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Joerg Heidrich
    • Show all 7 messages in this topic