Loading ...
Sorry, an error occurred while loading the content.

Odd postfix and firewall log entries

Expand Messages
  • Mike.
    I recently started seeing these log entries in the Postfix log and the firewall log. The sequence happens once a day, sometimes twice. Each time it appears
    Message 1 of 3 , Oct 1, 2012
    • 0 Attachment
      I recently started seeing these log entries in the Postfix log and the
      firewall log. The sequence happens once a day, sometimes twice. Each
      time it appears to be a different client IP address.

      In summary, I see an aborted connection attempt to Postfix, then a
      short while later I see Postfix trying some outbound connections (which
      are blocked and logged by the firewall).

      Is this behavior familiar to anyone? Any suggestions on where I should
      start looking next for the source of the outbound attempts?

      This is Postfix 2.7.1. Postfix 2.9.1 exhibits a similar behavior.
      IP 216.xxx.68.64 is the Postfix server, which runs FreeBSD 8.3.



      Sep 28 03:21:22 oneou postfix/smtpd[91250]: connect from
      unknown[39.xxx.56.235]
      Sep 28 03:26:22 oneou postfix/smtpd[91250]: timeout after CONNECT from
      unknown[39.xxx.56.235]
      Sep 28 03:26:22 oneou postfix/smtpd[91250]: disconnect from
      unknown[39.xxx.56.235]
      Sep 28 03:27:12 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
      Sep 28 03:28:16 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
      Sep 28 03:29:20 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
      Sep 28 03:30:24 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
      Sep 28 03:31:28 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 20




      Sep 30 11:05:57 oneou postfix/smtpd[34106]: connect from
      6.sfi.patel.net[83.xxx.56.16]
      Sep 30 11:05:58 oneou postfix/smtpd[34106]: lost connection after
      CONNECT from 6.sfi.patel.net[83.xxx.56.16]
      Sep 30 11:05:58 oneou postfix/smtpd[34106]: disconnect from
      6.sfi.patel.net[83.xxx.56.16]
      Sep 30 11:08:07 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 83.xxx.56.16.17725: tcp 20
      Sep 30 11:09:10 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 83.xxx.56.16.17725: tcp 20
      Sep 30 11:10:14 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 83.xxx.56.16.17725: tcp 20
      Sep 30 11:11:18 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 83.xxx.56.16.17725: tcp 20
      Sep 30 11:12:22 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 83.xxx.56.16.17725: tcp 20
      Sep 30 11:13:26 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 83.xxx.56.16.17725: tcp 20
      Sep 30 11:14:30 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 83.xxx.56.16.17725: tcp 20
      Sep 30 11:15:34 oneou pf: rule 1/0(match): block out on fxp0:
      216.xxx.68.64.25 > 83.xxx.56.16.17725: tcp 20
    • Viktor Dukhovni
      ... They are not outbound connections. These are most likely re-transmissions of the Postfix 220 banner, which was never acked by the connecting client. The
      Message 2 of 3 , Oct 1, 2012
      • 0 Attachment
        On Mon, Oct 01, 2012 at 11:05:59AM -0400, Mike. wrote:

        > I recently started seeing these log entries in the Postfix log and the
        > firewall log. The sequence happens once a day, sometimes twice. Each
        > time it appears to be a different client IP address.
        >
        > In summary, I see an aborted connection attempt to Postfix, then a
        > short while later I see Postfix trying some outbound connections (which
        > are blocked and logged by the firewall).

        They are not outbound connections. These are most likely re-transmissions
        of the Postfix 220 banner, which was never acked by the connecting client.

        The firewall tears down the connection before the TCP stack stops
        retrying.

        > Sep 28 03:21:22 oneou postfix/smtpd[91250]: connect from
        > unknown[39.xxx.56.235]
        > Sep 28 03:26:22 oneou postfix/smtpd[91250]: timeout after CONNECT from
        > unknown[39.xxx.56.235]
        > Sep 28 03:26:22 oneou postfix/smtpd[91250]: disconnect from
        > unknown[39.xxx.56.235]
        > Sep 28 03:27:12 oneou pf: rule 1/0(match): block out on fxp0:
        > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
        > Sep 28 03:28:16 oneou pf: rule 1/0(match): block out on fxp0:
        > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
        > Sep 28 03:29:20 oneou pf: rule 1/0(match): block out on fxp0:
        > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
        > Sep 28 03:30:24 oneou pf: rule 1/0(match): block out on fxp0:
        > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
        > Sep 28 03:31:28 oneou pf: rule 1/0(match): block out on fxp0:
        > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 20

        --
        Viktor.
      • Mike.
        ... the ... Each ... (which ... re-transmissions ... client. ... from ... ============= Thanks very much for the quick answer. That makes sense. btw,
        Message 3 of 3 , Oct 1, 2012
        • 0 Attachment
          On 10/1/2012 at 3:35 PM Viktor Dukhovni wrote:

          |On Mon, Oct 01, 2012 at 11:05:59AM -0400, Mike. wrote:
          |
          |> I recently started seeing these log entries in the Postfix log and
          the
          |> firewall log. The sequence happens once a day, sometimes twice.
          Each
          |> time it appears to be a different client IP address.
          |>
          |> In summary, I see an aborted connection attempt to Postfix, then a
          |> short while later I see Postfix trying some outbound connections
          (which
          |> are blocked and logged by the firewall).
          |
          |They are not outbound connections. These are most likely
          re-transmissions
          |of the Postfix 220 banner, which was never acked by the connecting
          client.
          |
          |The firewall tears down the connection before the TCP stack stops
          |retrying.
          |
          |> Sep 28 03:21:22 oneou postfix/smtpd[91250]: connect from
          |> unknown[39.xxx.56.235]
          |> Sep 28 03:26:22 oneou postfix/smtpd[91250]: timeout after CONNECT
          from
          |> unknown[39.xxx.56.235]
          |> Sep 28 03:26:22 oneou postfix/smtpd[91250]: disconnect from
          |> unknown[39.xxx.56.235]
          |> Sep 28 03:27:12 oneou pf: rule 1/0(match): block out on fxp0:
          |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
          |> Sep 28 03:28:16 oneou pf: rule 1/0(match): block out on fxp0:
          |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
          |> Sep 28 03:29:20 oneou pf: rule 1/0(match): block out on fxp0:
          |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
          |> Sep 28 03:30:24 oneou pf: rule 1/0(match): block out on fxp0:
          |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
          |> Sep 28 03:31:28 oneou pf: rule 1/0(match): block out on fxp0:
          |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 20
          |
          |--
          | Viktor.

          =============

          Thanks very much for the quick answer. That makes sense.


          btw, regarding my comment that "I recently started seeing these log
          entries" :

          I recently added a IPv6 tunnel to the server and I adjusted the
          firewall rules. One of the things I changed was the firewall now logs
          all blocked outbound connections. So this curiosity may have been
          occurring previously, I just did not see the firewall blocks because
          they were not logged.

          So all the symptoms fall into place now.

          Thanks again.

          Mike.
        Your message has been successfully submitted and would be delivered to recipients shortly.