Loading ...
Sorry, an error occurred while loading the content.

Re: /var/log/mail.info

Expand Messages
  • Ralf Hildebrandt
    ... That could be anything, probably a portscan from IP. ... No, there was no transaction at all. ... That was probably a mail from root (e.g. output from a
    Message 1 of 7 , Nov 1, 2012
    • 0 Attachment
      * thorsopia@... <thorsopia@...>:
      > Hi,
      >
      > I'm getting the following connections from suspicious IPs.
      >
      > $ sudo more /var/log/mail.info
      >
      > <DATE> <MACHINE> postfix/smtpd[PID]: connect from unknown[IP]
      > <DATE> <MACHINE> postfix/smtpd[PID]: lost connection after UNKNOWN from
      > unknown[IP]
      > <DATE> <MACHINE> postfix/smtpd[PID]: disconnect from unknown[IP]
      >
      > What's going on here?

      That could be anything, probably a portscan from IP.

      > smtp_client_restrictions = reject_unknown_reverse_client_hostname
      >
      > Is it enough? Should I configure "fail2ban" to reject these?

      No, there was no transaction at all.

      > I also have these entries in the same log file:
      >
      > <DATE> <MACHINE> postfix/pickup[PID]: ... from=<root> ...
      > <DATE> <MACHINE> postfix/cleanup[PID]: ... from=<root@<mydomain>> ...
      > <DATE> <MACHINE> postfix/qmgr[PID]: ... from=<root@<mydomain>> ...
      > <DATE> <MACHINE> postfix/local[PID]: ... to=<root@<mydomain>> ...
      >
      > Why does it use root? AFAICT, there should be a different value. Is
      > this a placeholder/default value?

      That was probably a mail from root (e.g. output from a cron job)

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Joerg Heidrich
    • thorsopia@lavabit.com
      ... I m willing to learn. I assume that the best way to learn is to configure my own mail server. Am I wrong? ... I thought that my server was compromised. I
      Message 2 of 7 , Nov 5, 2012
      • 0 Attachment
        > You may want to invest some time in learning the basics of email and
        > system administration; this list is not the place for that.

        I'm willing to learn. I assume that the best way to learn is to
        configure my own mail server. Am I wrong?

        >> Should I follow this [1] advice:

        > No. What do you think is the problem ?

        I thought that my server was compromised.

        I also thought that it can be used to organize a DDoS attack on my
        server. That's why I decided to configure fail2ban.

        Could you disprove (or comment on) the above?
      • /dev/rob0
        ... Learning by doing, and by reference to documentation, is the best method indeed. Be advised that mail admin has prerequisites, and if you re weak in those,
        Message 3 of 7 , Nov 5, 2012
        • 0 Attachment
          On Mon, Nov 05, 2012 at 05:18:23PM -0500, thorsopia@... wrote:
          > Jeroen:
          > > You may want to invest some time in learning the basics of email
          > > and system administration; this list is not the place for that.
          >
          > I'm willing to learn. I assume that the best way to learn is to
          > configure my own mail server. Am I wrong?

          Learning by doing, and by reference to documentation, is the best
          method indeed. Be advised that mail admin has prerequisites, and if
          you're weak in those, the documentation might not make sense in
          places. Among the prerequisites: familiarity with general Unix;
          familiarity with your particular flavor thereof; basic understanding
          of IP networking and troubleshooting; basic knowledge of SMTP and
          email protocols (which parts do what, and why, and how); basic to
          medium understanding of DNS, particularly in regard to how Internet
          mail routing is controlled.

          As P@rick rightly pointed out, we will help here with prerequisites.
          But Jeroen's right too: you should not expect this mailing list to
          take the place of all those things.

          > >> Should I follow this [1] advice:
          >
          > > No. What do you think is the problem ?
          >
          > I thought that my server was compromised.

          One of the first things I decided when I started learning system
          administration was:

          *** DON'T PANIC!!! ***

          When you see something you don't understand, let that be your first
          thought: "I don't understand this." If you think "my server was
          compromised" every time you see something you don;t understand, you
          won't do well, and you might drive yourself crazy in the process of
          failure.

          > I also thought that it can be used to organize a DDoS attack on
          > my server. That's why I decided to configure fail2ban.
          >
          > Could you disprove (or comment on) the above?

          Other posters tried to explain those logs you did not understand.
          Please refer back to those posts.

          1. Sometimes mail clients will connect and decide that they are
          unable to complete their transaction as planned. There is no means
          within the SMTP protocol and extensions for a client to tell the
          server its reasoning. If you control the client, refer to client
          logs.

          2. If a connecting client lacks FCrDNS, Postfix will log it as
          "unknown".

          3. pickup(8):
          "
          NAME
          pickup - Postfix local mail pickup

          SYNOPSIS
          pickup [generic Postfix daemon options]

          DESCRIPTION
          The pickup(8) daemon waits for hints that new mail has
          been dropped into the maildrop directory, and feeds it
          into the cleanup(8) daemon.
          ..."

          In real terms, logging from pickup(8) means that someone (a shell
          user) or some process running on your system used sendmail(1) to send
          mail. It's not unusual for operating systems to ship with default
          cron jobs (see crontab(1) and your OS/distro documentation) which try
          to send mail.

          There is absolutely no evidence in this thread that you have had a
          compromise. Again:

          *** DON'T PANIC!!! ***

          Something else I should point out: you used "/var/log/mail.info" as
          the subject of this thread. Typically that file is an incomplete
          representation of syslog(3) "mail" facility logs; these would only be
          logs of the "info" priority level.

          You should look for and rely upon whatever file you have which
          receives "mail.*" logs (all syslog priorities of the "mail"
          facility.)
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        Your message has been successfully submitted and would be delivered to recipients shortly.