Tommy Berglund:
> Hey!
> Is there anything I need to change into my configuration of postfix?
> I have in my mail.log file (family server) seen this now.
> Parts of my mail.log file
> Feb 28 23:54:57 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:32970 to [192.168.2.8]:25
> Feb 28 23:54:57 server postfix/postscreen[5976]: HANGUP after 0 from
> [81.30.158.145]:32970 in tests before SMTP handshake
> Feb 28 23:54:57 server postfix/postscreen[5976]: DISCONNECT
> [81.30.158.145]:32970
This SMTP client hands up as soon as postscreen greets it.
> Feb 28 23:54:58 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:33238 to [192.168.2.8]:25
> Feb 28 23:55:01 server postfix/postscreen[5976]: HANGUP after 2.1 from
> [81.30.158.145]:33238 in tests before SMTP handshake
> Feb 28 23:55:01 server postfix/postscreen[5976]: DISCONNECT
> [81.30.158.145]:33238
Same SMTP client, now it hangs up after 2 seconds.
> Mar 1 00:05:56 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:31387 to [192.168.2.8]:25
> Mar 1 00:05:58 server postfix/postscreen[5976]: HANGUP after 2 from
> [81.30.158.145]:31387 in tests before SMTP handshake
> Mar 1 00:05:58 server postfix/postscreen[5976]: DISCONNECT
> [81.30.158.145]:31387
Again.
> Mar 1 00:05:59 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:31813 to [192.168.2.8]:25
> Mar 1 00:06:05 server postfix/postscreen[5976]: PASS NEW
> [81.30.158.145]:31813
> Mar 1 00:06:06 server postfix/smtpd[6961]: warning: hostname
> real-univers.com does not resolve to address 81.30.158.145: Name or
> service not known
> Mar 1 00:06:06 server postfix/smtpd[6961]: connect from
> unknown[81.30.158.145]
> Mar 1 00:06:16 server postfix/smtpd[6961]: lost connection after
> CONNECT from unknown[81.30.158.145]
> Mar 1 00:06:16 server postfix/smtpd[6961]: disconnect from
> unknown[81.30.158.145]
The client waits for the full 6-second postscreen greet wait, and
passes postscreen's tests. The IP address resolves to real-univers.com,
but the name real-univers.com does not exist (actually, the DNS
server replies for real-univers.com replies with SERVFAIL).
> Mar 1 00:06:17 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:32871 to [192.168.2.8]:25
> Mar 1 00:06:17 server postfix/postscreen[5976]: PASS OLD
> [81.30.158.145]:32871
> Mar 1 00:06:18 server postfix/smtpd[6961]: warning: hostname
> real-univers.com does not resolve to address 81.30.158.145: Name or
> service not known
> Mar 1 00:06:18 server postfix/smtpd[6961]: connect from
> unknown[81.30.158.145]
> Mar 1 00:06:18 server postfix/smtpd[6961]: lost connection after EHLO
> from unknown[81.30.158.145]
> Mar 1 00:06:18 server postfix/smtpd[6961]: disconnect from
> unknown[81.30.158.145]
The SMTP client collects the EHLO response with your SMTP server's
feature set.
> Mar 1 00:25:42 server postfix/smtpd[7063]: disconnect from
> unknown[81.30.158.145]
> Mar 1 00:25:42 server postfix/postscreen[5976]: CONNECT from
> [81.30.158.145]:7654 to [192.168.2.8]:25
> Mar 1 00:25:42 server postfix/postscreen[5976]: PASS OLD
> [81.30.158.145]:7654
> Mar 1 00:25:42 server postfix/smtpd[7063]: warning: hostname
> real-univers.com does not resolve to address 81.30.158.145: Name or
> service not known
> Mar 1 00:25:42 server postfix/smtpd[7063]: connect from
> unknown[81.30.158.145]
> Mar 1 00:25:43 server postfix/smtpd[7063]: NOQUEUE: reject: RCPT from
> unknown[81.30.158.145]: 554 5.7.1 <t...@gmail.com>: Relay access denied;
> from=<t...@priv.bahnhof.se> to=<t...@gmail.com> proto=SMTP
> helo=<vps158145.domain>
> Mar 1 00:25:43 server postfix/smtpd[7063]: lost connection after RCPT
> from unknown[81.30.158.145]
> Mar 1 00:25:43 server postfix/smtpd[7063]: disconnect from
> unknown[81.30.158.145]
And now it has done an open relay test. The test failed as it should.
This could be intelligence collection (for evil or good). The client
IP address does not appear to be blacklisted. It appears to be
near Frankfurt, Germany.
Wietse
