Loading ...
Sorry, an error occurred while loading the content.

Re: Odd postfix and firewall log entries

Expand Messages
  • Viktor Dukhovni
    ... They are not outbound connections. These are most likely re-transmissions of the Postfix 220 banner, which was never acked by the connecting client. The
    Message 1 of 3 , Oct 1, 2012
    • 0 Attachment
      On Mon, Oct 01, 2012 at 11:05:59AM -0400, Mike. wrote:

      > I recently started seeing these log entries in the Postfix log and the
      > firewall log. The sequence happens once a day, sometimes twice. Each
      > time it appears to be a different client IP address.
      >
      > In summary, I see an aborted connection attempt to Postfix, then a
      > short while later I see Postfix trying some outbound connections (which
      > are blocked and logged by the firewall).

      They are not outbound connections. These are most likely re-transmissions
      of the Postfix 220 banner, which was never acked by the connecting client.

      The firewall tears down the connection before the TCP stack stops
      retrying.

      > Sep 28 03:21:22 oneou postfix/smtpd[91250]: connect from
      > unknown[39.xxx.56.235]
      > Sep 28 03:26:22 oneou postfix/smtpd[91250]: timeout after CONNECT from
      > unknown[39.xxx.56.235]
      > Sep 28 03:26:22 oneou postfix/smtpd[91250]: disconnect from
      > unknown[39.xxx.56.235]
      > Sep 28 03:27:12 oneou pf: rule 1/0(match): block out on fxp0:
      > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
      > Sep 28 03:28:16 oneou pf: rule 1/0(match): block out on fxp0:
      > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
      > Sep 28 03:29:20 oneou pf: rule 1/0(match): block out on fxp0:
      > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
      > Sep 28 03:30:24 oneou pf: rule 1/0(match): block out on fxp0:
      > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
      > Sep 28 03:31:28 oneou pf: rule 1/0(match): block out on fxp0:
      > 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 20

      --
      Viktor.
    • Mike.
      ... the ... Each ... (which ... re-transmissions ... client. ... from ... ============= Thanks very much for the quick answer. That makes sense. btw,
      Message 2 of 3 , Oct 1, 2012
      • 0 Attachment
        On 10/1/2012 at 3:35 PM Viktor Dukhovni wrote:

        |On Mon, Oct 01, 2012 at 11:05:59AM -0400, Mike. wrote:
        |
        |> I recently started seeing these log entries in the Postfix log and
        the
        |> firewall log. The sequence happens once a day, sometimes twice.
        Each
        |> time it appears to be a different client IP address.
        |>
        |> In summary, I see an aborted connection attempt to Postfix, then a
        |> short while later I see Postfix trying some outbound connections
        (which
        |> are blocked and logged by the firewall).
        |
        |They are not outbound connections. These are most likely
        re-transmissions
        |of the Postfix 220 banner, which was never acked by the connecting
        client.
        |
        |The firewall tears down the connection before the TCP stack stops
        |retrying.
        |
        |> Sep 28 03:21:22 oneou postfix/smtpd[91250]: connect from
        |> unknown[39.xxx.56.235]
        |> Sep 28 03:26:22 oneou postfix/smtpd[91250]: timeout after CONNECT
        from
        |> unknown[39.xxx.56.235]
        |> Sep 28 03:26:22 oneou postfix/smtpd[91250]: disconnect from
        |> unknown[39.xxx.56.235]
        |> Sep 28 03:27:12 oneou pf: rule 1/0(match): block out on fxp0:
        |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
        |> Sep 28 03:28:16 oneou pf: rule 1/0(match): block out on fxp0:
        |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
        |> Sep 28 03:29:20 oneou pf: rule 1/0(match): block out on fxp0:
        |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
        |> Sep 28 03:30:24 oneou pf: rule 1/0(match): block out on fxp0:
        |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 108
        |> Sep 28 03:31:28 oneou pf: rule 1/0(match): block out on fxp0:
        |> 216.xxx.68.64.25 > 39.xxx.56.235.1525: tcp 20
        |
        |--
        | Viktor.

        =============

        Thanks very much for the quick answer. That makes sense.


        btw, regarding my comment that "I recently started seeing these log
        entries" :

        I recently added a IPv6 tunnel to the server and I adjusted the
        firewall rules. One of the things I changed was the firewall now logs
        all blocked outbound connections. So this curiosity may have been
        occurring previously, I just did not see the firewall blocks because
        they were not logged.

        So all the symptoms fall into place now.

        Thanks again.

        Mike.
      Your message has been successfully submitted and would be delivered to recipients shortly.