- * thorsopia@... <thorsopia@...>:
> Hi,That could be anything, probably a portscan from IP.
> I'm getting the following connections from suspicious IPs.
> $ sudo more /var/log/mail.info
> <DATE> <MACHINE> postfix/smtpd[PID]: connect from unknown[IP]
> <DATE> <MACHINE> postfix/smtpd[PID]: lost connection after UNKNOWN from
> <DATE> <MACHINE> postfix/smtpd[PID]: disconnect from unknown[IP]
> What's going on here?
> smtp_client_restrictions = reject_unknown_reverse_client_hostnameNo, there was no transaction at all.
> Is it enough? Should I configure "fail2ban" to reject these?
> I also have these entries in the same log file:That was probably a mail from root (e.g. output from a cron job)
> <DATE> <MACHINE> postfix/pickup[PID]: ... from=<root> ...
> <DATE> <MACHINE> postfix/cleanup[PID]: ... from=<root@<mydomain>> ...
> <DATE> <MACHINE> postfix/qmgr[PID]: ... from=<root@<mydomain>> ...
> <DATE> <MACHINE> postfix/local[PID]: ... to=<root@<mydomain>> ...
> Why does it use root? AFAICT, there should be a different value. Is
> this a placeholder/default value?
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
> You may want to invest some time in learning the basics of email andI'm willing to learn. I assume that the best way to learn is to
> system administration; this list is not the place for that.
configure my own mail server. Am I wrong?
>> Should I follow this  advice:I thought that my server was compromised.
> No. What do you think is the problem ?
I also thought that it can be used to organize a DDoS attack on my
server. That's why I decided to configure fail2ban.
Could you disprove (or comment on) the above?
- On Mon, Nov 05, 2012 at 05:18:23PM -0500, thorsopia@... wrote:
> Jeroen:Learning by doing, and by reference to documentation, is the best
> > You may want to invest some time in learning the basics of email
> > and system administration; this list is not the place for that.
> I'm willing to learn. I assume that the best way to learn is to
> configure my own mail server. Am I wrong?
method indeed. Be advised that mail admin has prerequisites, and if
you're weak in those, the documentation might not make sense in
places. Among the prerequisites: familiarity with general Unix;
familiarity with your particular flavor thereof; basic understanding
of IP networking and troubleshooting; basic knowledge of SMTP and
email protocols (which parts do what, and why, and how); basic to
medium understanding of DNS, particularly in regard to how Internet
mail routing is controlled.
As P@rick rightly pointed out, we will help here with prerequisites.
But Jeroen's right too: you should not expect this mailing list to
take the place of all those things.
> >> Should I follow this  advice:One of the first things I decided when I started learning system
> > No. What do you think is the problem ?
> I thought that my server was compromised.
*** DON'T PANIC!!! ***
When you see something you don't understand, let that be your first
thought: "I don't understand this." If you think "my server was
compromised" every time you see something you don;t understand, you
won't do well, and you might drive yourself crazy in the process of
> I also thought that it can be used to organize a DDoS attack onOther posters tried to explain those logs you did not understand.
> my server. That's why I decided to configure fail2ban.
> Could you disprove (or comment on) the above?
Please refer back to those posts.
1. Sometimes mail clients will connect and decide that they are
unable to complete their transaction as planned. There is no means
within the SMTP protocol and extensions for a client to tell the
server its reasoning. If you control the client, refer to client
2. If a connecting client lacks FCrDNS, Postfix will log it as
pickup - Postfix local mail pickup
pickup [generic Postfix daemon options]
The pickup(8) daemon waits for hints that new mail has
been dropped into the maildrop directory, and feeds it
into the cleanup(8) daemon.
In real terms, logging from pickup(8) means that someone (a shell
user) or some process running on your system used sendmail(1) to send
mail. It's not unusual for operating systems to ship with default
cron jobs (see crontab(1) and your OS/distro documentation) which try
to send mail.
There is absolutely no evidence in this thread that you have had a
*** DON'T PANIC!!! ***
Something else I should point out: you used "/var/log/mail.info" as
the subject of this thread. Typically that file is an incomplete
representation of syslog(3) "mail" facility logs; these would only be
logs of the "info" priority level.
You should look for and rely upon whatever file you have which
receives "mail.*" logs (all syslog priorities of the "mail"
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: