On Mar 30, 2010, at 1:26 PM, Noel Jones wrote: > On 3/30/2010 2:46 PM, Terry Barnum wrote: >> I moved our company over to postfix (v2.6.2) last Friday and have been >> mesmerized by the log. One thing I'm seeing is a lot of 'lost connections >> from unknown[ IP ]'. I'm hoping that these are due to either poorly written >> spambots bailing early or smtpd_recipient_restrictions rejecting the >> connection. >> >> google finds discussions about it but I couldn't find anything really recent. >> >> From the following can you determine if this is something I should be >> worried about? I'd be happy to provide more or different log data if >> required. >> >> $ grep 'lost connection' /var/log/mail.log >> <snip> >> Mar 30 05:07:14 mail postfix/smtpd[45236]: lost connection after DATA from >> unknown[123.28.125.3] >> Mar 30 05:07:17 mail postfix/smtpd[45244]: lost connection after DATA from >> unknown[62.32.223.28] >> Mar 30 05:07:18 mail postfix/smtpd[45240]: lost connection after RCPT from >> public16037.xdsl.centertel.pl[79.163.62.165] >> Mar 30 05:07:18 mail postfix/smtpd[45159]: lost connection after RCPT from >> unknown[218.157.167.131] >> Mar 30 05:07:20 mail postfix/smtpd[45188]: lost connection after CONNECT >> from unknown[212.63.221.10] >> Mar 30 05:07:23 mail postfix/smtpd[45230]: lost connection after RCPT from >> mproxy01.jheel.bdcom.com[210.4.76.3] >> Mar 30 05:07:25 mail postfix/smtpd[45229]: lost connection after DATA from >> unknown[119.15.93.218] >> Mar 30 05:07:27 mail postfix/smtpd[45237]: lost connection after RCPT from >> unknown[213.198.111.207] > > I believe these are all known spam sources. As a general rule you can ignore > errors from clients you don't care to receive mail from.
Thank you Noel. That's the answer I was hoping for. I didn't notice any lost connections from servers that I cared about but wanted to ask here to make sure. > I see you have zen.spamhaus.org in your config, is it catching anything? > Several of the above clients are currently listed in zen and should have been > rejected before DATA. Possibly you've exceeded their query limits and need > to pay for a feed. I don't believe so. I changed the postfix logs to roll every 24hrs because they were rolling too quickly (every hour), so I don't have info further back than Sun morning at 12:30AM, but looking at the logs it seems unlikely I would have exceeded 300,000 queries from postfix launch on Friday evening. I learned about and added reject_unlisted_recipient to smtpd_recipient_restrictions and also added smtpd_reject_unlisted_sender = yes around 2AM Sunday morning. $ grep spamhaus /var/log/mail.log | wc -l 280 $ bzcat /var/log/mail.log.0.bz2 | grep spamhaus | wc -l 205 $ bzcat /var/log/mail.log.[1-5].bz2 | grep spamhaus | wc -l 27163 Other ideas why those clients didn't get rejected before DATA? Thanks, -Terry
