In response to Noel's followup, here is a proposal that can make
Postfix trouble shooting / anomaly detection easier. This would
reveal information that is currently available only by turning on
verbose logging.
Proposal:
The Postfix SMTP server maintains two counters for each known
command:
Wietse Venema:
Since the stats would be logged at the end of a session, they can
be logged in the disconnect record.
Hello Wietse,
the proposal sounds good. Such intormation could be helpful.
Do you think it should be logged always or only while debugging?
I use to postconf -e
A normal ESMTP session with vrfy:
ehlo=1/1 vrfy=1/1 quit=1/1
An abnormal session that drops after 10 rejected AUTH commands:
ehlo=1/1 auth=0/10
The logging shows only counters for commands that were actually
issued. To save space we could replace n/n (two identical numbers)
On Fri, 11 Jul 2014 16:52:12 -0500
Noel Jones njo...@megan.vbhcs.org wrote:
But there's really only one scenario. The only time postfix logs
that message is when the connection is lost after RCPT. This is
always caused by either A) a poorly written mail engine that
improperly drops the
On 7/11/2014 5:06 PM, Wietse Venema wrote:
I suppose the recipient count could be added to the lost
connection message. That might be modestly useful to the general
user base. Maybe something like:
postfix/smtpd[nnn]: lost connection after RCPT from
test.example.com[192.0.2.100], nrcpt=N
On 12 Jul 2014, at 9:19, D'Arcy J.M. Cain wrote:
I want to ask the question Who connected,
confirmed a valid address and disconnected without sending mail? Is
that an unreasonable question without needing to do stateful log
analysis? It's not that I am a stranger to that sort of log analysis
Noel Jones:
Probably more useful to help identify abuse would be a counter of
valid/total RCPT commands within a session that drops. nrcpt=N/T
where N is valid recipients, T is total RCPT commands. I think
valid/total is easier to explain than valid/rejected, and makes a
pretty fraction
On 7/12/2014 7:09 PM, Wietse Venema wrote:
Noel Jones:
Probably more useful to help identify abuse would be a counter of
valid/total RCPT commands within a session that drops. nrcpt=N/T
where N is valid recipients, T is total RCPT commands. I think
valid/total is easier to explain than
There's a new trick in the spammer's bag of tricks. Companies like
strikeiron and briteverify are springing up promising to verify email
addresses so that senders can limit sending invalid emails to MTAs and
thus wind up on their suspicious sender list. I can't think of a
single legitimate use
Am 11.07.2014 21:02, schrieb D'Arcy J.M. Cain:
There's a new trick in the spammer's bag of tricks. Companies like
strikeiron and briteverify are springing up promising to verify email
addresses so that senders can limit sending invalid emails to MTAs and
thus wind up on their suspicious
On Fri, 11 Jul 2014 21:06:59 +0200
li...@rhsoft.net li...@rhsoft.net wrote:
this message in at least three scenarios that I can see. One,
someone sends email to an invalid address and we reject the balance
of the session. Two, we reject the session because of an RBL.
Three, someone is
Am 11.07.2014 22:16, schrieb D'Arcy J.M. Cain:
On Fri, 11 Jul 2014 21:06:59 +0200
li...@rhsoft.net li...@rhsoft.net wrote:
this message in at least three scenarios that I can see. One,
someone sends email to an invalid address and we reject the balance
of the session. Two, we reject the
On 7/11/2014 3:16 PM, D'Arcy J.M. Cain wrote:
On Fri, 11 Jul 2014 21:06:59 +0200
li...@rhsoft.net li...@rhsoft.net wrote:
this message in at least three scenarios that I can see. One,
someone sends email to an invalid address and we reject the balance
of the session. Two, we reject the
Noel Jones:
[ Charset ISO-8859-1 converted... ]
On 7/11/2014 3:16 PM, D'Arcy J.M. Cain wrote:
On Fri, 11 Jul 2014 21:06:59 +0200
li...@rhsoft.net li...@rhsoft.net wrote:
this message in at least three scenarios that I can see. One,
someone sends email to an invalid address and we reject
On 11 Jul 2014, at 16:16, D'Arcy J.M. Cain wrote:
On Fri, 11 Jul 2014 21:06:59 +0200
li...@rhsoft.net li...@rhsoft.net wrote:
this message in at least three scenarios that I can see. One,
someone sends email to an invalid address and we reject the balance
of the session. Two, we reject the
15 matches
Mail list logo