On 7/11/2014 5:06 PM, Wietse Venema wrote: >> >> I suppose the "recipient count" could be added to the "lost >> connection" message. That might be modestly useful to the general >> user base. Maybe something like: >> >> postfix/smtpd[nnn]: lost connection after RCPT from >> test.example.com[192.0.2.100], nrcpt=N >> >> But that's just an idea, not a fully thought-out proposal. Feel free >> to submit a patch. > > I wonder, does that include rejected recipients? What about recipients > in earlier transactions within the same SMTP session? Whatever we > log would need to be easy to explain. > > Wietse
My first thought was a simple "number of valid recipients within this session before it disconnected", similar to the nrcpt counter in the cleanup log entry, or the "recipient count" in the policy service. This seems dirt simple to explain, which is always good. One could use this simple display to look for non-zero events worthy of investigation. Zero count shows a host that was already rejected for some reason and can be ignored. proposed log: postfix/smtpd[nnn]: lost connection after RCPT from test.example.com[192.0.2.100], nrcpt=N Probably more useful to help identify abuse would be a counter of valid/total RCPT commands within a session that drops. nrcpt=N/T where N is valid recipients, T is total RCPT commands. I think valid/total is easier to explain than valid/rejected, and makes a pretty fraction display. proposed log: postfix/smtpd[nnn]: lost connection after RCPT from test.example.com[192.0.2.100], nrcpt=N/T -- Noel Jones
