Wietse Venema <wie...@porcupine.org> wrote: > Michael Grimm: >> Apr 23 12:07:45 <mail.info> mail.lan postfix/postscreen[61983]: PREGREET 159 >> after 0.03 from [1.2.3.4]:58878: >> \026\003\001\000\232\001\000\000\226\003\0030An';\265\235\335\250\344N,%\233Y\305\226\030tMb\024\b\3 >> Apr 23 12:09:49 <mail.info> mail.lan postfix/postscreen[4271]: PREGREET 159 >> after 0 from [10.20.30.40]:48872: >> \026\003\001\000\232\001\000\000\226\003\003\201\202\v\215\240BC\265R\256\200E\275c%\224Dzu\265\375x > > Note that these payloads are very diffferent than the crash example that > you shared earlier. > > Now: PREGREET after 159 bytes. > was: PREGREET after 429 bytes. > > So we are not out of the troubke yet.` > > Other differences (one byte is part of a length field): > > Now: \026\003\001\000\232\001\000... > Was: \026\003\003\001\250\001\000... > > Now: logs NON-SMTP COMMAND. > Was: not? > > Can your share complete postscreen logging fromm other crash logs?
Note that all these crashes have been triggered by the very same 1.2.3.4 client: Mar 28 01:33:22 <mail.info> mail.lan postfix/postscreen[7179]: CONNECT from [1.2.3.4]:33288 to [10.2.2.1]:25 Mar 28 01:33:22 <mail.info> mail.lan postfix/postscreen[7179]: PREGREET 426 after 0 from [1.2.3.4]:33288: \026\003\003\001\245\001\000\001\241\003\003\037\r\f\371\240\320\2070Q\307\302\3048\241l-=\335\330C\ Mar 28 01:33:22 <mail.info> mail.lan postfix/postscreen[7179]: BARE NEWLINE from [1.2.3.4]:33288 after \026\003\003\001\245\001\000\001\241\003\003\037\r\f\371\240\320\2070Q\307\302\3048\241l-=\335\330C\360$\263\304\271\017\335 \276\035:\361\242 z\236\345\333\257\334_b\324fB\333\a\026`\213\365\225n\321M\036\237 Mar 28 01:33:22 <mail.info> mail.lan postfix/tlsproxy[7185]: DISCONNECT [1.2.3.4]:58978 Mar 28 01:33:22 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7179 killed by signal 11 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7186]: CONNECT from [1.2.3.4]:33850 to [10.2.2.1]:25 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7186]: PREGREET 426 after 0 from [1.2.3.4]:33850: \026\003\003\001\245\001\000\001\241\003\003\373\006\377M\207\200B\027[\264\002X+\370\312\vt\037YB\2 Mar 28 01:33:23 <mail.info> mail.lan postfix/dnsblog[7180]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7186]: BARE NEWLINE from [1.2.3.4]:33850 after \026\003\003\001\245\001\000\001\241\003\003\373\006\377M\207\200B\027[\264\002X+\370\312\vt\037YB\225Q\344\020Q,L\243\020\230\305\337 \357\3613\277\2115\227\2266\320h*\003B\256\276\330\2752\035\002Q\271\265}\027\342;\246\367H\301\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Mar 28 01:33:23 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7186 killed by signal 11 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7187]: CONNECT from [1.2.3.4]:34124 to [10.2.2.1]:25 Mar 28 01:33:23 <mail.info> mail.lan postfix/dnsblog[7180]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7187]: PREGREET 347 after 0 from [1.2.3.4]:34124: \026\003\003\001V\001\000\001R\003\003v\006\322;\005\233]'\005CF\265P\210\314\vc#sq\341\366\241|\343 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7187]: BARE NEWLINE from [1.2.3.4]:34124 after \026\003\003\001V\001\000\001R\003\003v\006\322;\005\233]'\005CF\265P\210\314\vc#sq\341\366\241|\343\360~\232\3707\302\246 \345.\376/Z\342\260\023\370\341\314\324\327\371\365\030\262\203\273\017\034\325\340)\315\177\261\356\315u\244\224\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255 Mar 28 01:33:23 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7187 killed by signal 11 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7188]: CONNECT from [1.2.3.4]:34386 to [10.2.2.1]:25 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7188]: PREGREET 333 after 0 from [1.2.3.4]:34386: \026\003\003\001H\001\000\001D\003\003|"\365\252\311\330\315vtr\021\316A.\023M\234\321\274\263\350\2 Mar 28 01:33:23 <mail.info> mail.lan postfix/dnsblog[7181]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7188]: BARE NEWLINE from [1.2.3.4]:34386 after \026\003\003\001H\001\000\001D\003\003|"\365\252\311\330\315vtr\021\316A.\023M\234\321\274\263\350\237C\027\347m\177#n\\_\304 \243 \213\303\217S+S\362\352x\203L\\\230\301R\205\333\3502\224\\w3\030\227\272\363s\237\f\000D\300\023\300'\300/\300\024\300(\3000\300`\300a\300v\300w\314\250 Mar 28 01:33:23 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7188 killed by signal 11 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7189]: CONNECT from [1.2.3.4]:34506 to [10.2.2.1]:25 Mar 28 01:33:23 <mail.info> mail.lan postfix/dnsblog[7183]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7189]: PREGREET 414 after 0.05 from [1.2.3.4]:34506: \026\003\003\001\231\001\000\001\225\003\003\265r\316[\266q\245M\aN7\036v\000\340\245\031SV\366\200\ Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7189]: BARE NEWLINE from [1.2.3.4]:34506 after \026\003\003\001\231\001\000\001\225\003\003\265r\316[\266q\245M\aN7\036v\000\340\245\031SV\366\200\265\315 Mar 28 01:33:23 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7189 killed by signal 11 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7190]: CONNECT from [1.2.3.4]:34644 to [10.2.2.1]:25 Mar 28 01:33:24 <mail.info> mail.lan postfix/dnsblog[7182]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7190]: PREGREET 415 after 0 from [1.2.3.4]:34644: \026\003\002\001\232\001\000\001\226\003\002$\262\t\253\301\214+.H\376\310GW\214s\354\006}-\302\346r Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7190]: BARE NEWLINE from [1.2.3.4]:34644 after \026\003\002\001\232\001\000\001\226\003\002$\262\t\253\301\214+.H\376\310GW\214s\354\006}-\302\346r 6\363\345\302\333\027\360\255\377 \215\002\321\336]\314\027\337iX\004\005\357\256\352\301\377\036\030\22121$\213\t*\026\242\237\274\370-\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Mar 28 01:33:24 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7190 killed by signal 11 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7191]: CONNECT from [1.2.3.4]:34772 to [10.2.2.1]:25 Mar 28 01:33:24 <mail.info> mail.lan postfix/dnsblog[7180]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7191]: PREGREET 428 after 0.02 from [1.2.3.4]:34772: \026\003\001\001\247\001\000\001\243\003\003\fqT\017\227o\333u\245\313\257\316\314P\270fw\034ue\343% Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7191]: BARE NEWLINE from [1.2.3.4]:34772 after \026\003\001\001\247\001\000\001\243\003\003\fqT\017\227o\333u\245\313\257\316\314P\270fw\034ue\343%\351\247\310\322!\236\037\270\234] br\222\355p-\340&c\372EE\335\374S\274\261\362\327\005\243\242\001\267\224\237\267`\307\352\370!\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Mar 28 01:33:24 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7191 killed by signal 11 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7192]: CONNECT from [1.2.3.4]:34874 to [10.2.2.1]:25 Mar 28 01:33:24 <mail.info> mail.lan postfix/dnsblog[7182]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7192]: PREGREET 428 after 0 from [1.2.3.4]:34874: \026\003\001\001\247\001\000\001\243\003\003\353I>\376\017\033\020:\000\303\332\034\266\235\216\031\ Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7192]: BARE NEWLINE from [1.2.3.4]:34874 after \026\003\001\001\247\001\000\001\243\003\003\353I>\376\017\033\020:\000\303\332\034\266\235\216\031\\\200\332\207\253\017_:\363K/H\027\237V\b \3537<\234\201\222\346(\277\272\337b|\260~0\234\264v\246\356\023\032\272\205\266\337\235@\321V7\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Mar 28 01:33:24 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7192 killed by signal 11 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7193]: CONNECT from [1.2.3.4]:34980 to [10.2.2.1]:25 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7193]: PREGREET 418 after 0 from [1.2.3.4]:34980: \026\003\001\001\235\001\000\001\231\003\003\306\376\346\031\035\0372k\340\356\252\330L!\264;\251\22 Mar 28 01:33:24 <mail.info> mail.lan postfix/dnsblog[7184]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7193]: BARE NEWLINE from [1.2.3.4]:34980 after \026\003\001\001\235\001\000\001\231\003\003\306\376\346\031\035\0372k\340\356\252\330L!\264;\251\221I[\363P\241%\362w\004I\033\360\363w N\206~;\302\274\326\021&>7cOf\217\361>\036`\373F\344\035<\211\217\225,\0040\275)\000\200\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Mar 28 01:33:24 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7193 killed by signal 11 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7194]: CONNECT from [1.2.3.4]:35048 to [10.2.2.1]:25 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7194]: PREGREET 441 after 0 from [1.2.3.4]:35048: \026\003\001\001\264\001\000\001\260\003\003W\rP7\361i\204Cy>\3400/k\034\360?\234u]\334\344\347\t\30 Mar 28 01:33:24 <mail.info> mail.lan postfix/dnsblog[7182]: addr 1.2.3.4 listed by domain zen.spamhaus.org as 127.0.0.4 Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7194]: BARE NEWLINE from [1.2.3.4]:35048 after \026\003\001\001\264\001\000\001\260\003\003W\rP7\361i\204Cy>\3400/k\034\360?\234u]\334\344\347\t\305\227\332oG)1\211 \305;\216\223\212\212f\v!\223D`\225\3614a'\213\303g\t\v7\3040kY\3433\240\235O\000\214 Mar 28 01:33:24 <mail.warn> mail.lan postfix/master[78392]: warning: process /usr/local/libexec/postfix/postscreen pid 7194 killed by signal 11 HTH and hope that these log file entries are what you asked for. Regards, Michael
