In response to Noel's followup, here is a proposal that can make
Postfix trouble shooting / anomaly detection easier. This would
reveal information that is currently available only by turning on
verbose logging.
Proposal:
The Postfix SMTP server maintains two counters for each known
command:
Wietse Venema:
Since the stats would be logged at the end of a session, they can
be logged in the disconnect record.
Hello Wietse,
the proposal sounds good. Such intormation could be helpful.
Do you think it should be logged always or only while debugging?
I use to postconf -e
A normal ESMTP session with vrfy:
ehlo=1/1 vrfy=1/1 quit=1/1
An abnormal session that drops after 10 rejected AUTH commands:
ehlo=1/1 auth=0/10
The logging shows only counters for commands that were actually
issued. To save space we could replace n/n (two identical numbers)
On Fri, 11 Jul 2014 16:52:12 -0500
Noel Jones njo...@megan.vbhcs.org wrote:
But there's really only one scenario. The only time postfix logs
that message is when the connection is lost after RCPT. This is
always caused by either A) a poorly written mail engine that
improperly drops the
On 7/11/2014 5:06 PM, Wietse Venema wrote:
I suppose the recipient count could be added to the lost
connection message. That might be modestly useful to the general
user base. Maybe something like:
postfix/smtpd[nnn]: lost connection after RCPT from
test.example.com[192.0.2.100], nrcpt=N
On 12 Jul 2014, at 9:19, D'Arcy J.M. Cain wrote:
I want to ask the question Who connected,
confirmed a valid address and disconnected without sending mail? Is
that an unreasonable question without needing to do stateful log
analysis? It's not that I am a stranger to that sort of log analysis
display.
proposed log:
postfix/smtpd[nnn]: lost connection after RCPT from
test.example.com[192.0.2.100], nrcpt=N/T
[I am making an exception to respond on-list to known people.]
Interesting idea, but why not log these numbers with the disconnect
event? This is logged for all SMTP sessions
valid/rejected, and makes a
pretty fraction display.
proposed log:
postfix/smtpd[nnn]: lost connection after RCPT from
test.example.com[192.0.2.100], nrcpt=N/T
[I am making an exception to respond on-list to known people.]
Interesting idea, but why not log these numbers with the disconnect
There's a new trick in the spammer's bag of tricks. Companies like
strikeiron and briteverify are springing up promising to verify email
addresses so that senders can limit sending invalid emails to MTAs and
thus wind up on their suspicious sender list. I can't think of a
single legitimate use
especially if I only take note once the sender
passes some reasonable threshold
you did not provide any log but lost connection after RCPT
means the client did not quit the smtp session properly and
so the client is broken
* client connects
* client send SMTP commands
* postfix answers with the REJECT
is probing to find out if an address is valid. I
you did not provide any log but lost connection after RCPT
means the client did not quit the smtp session properly and
so the client is broken
Are you sure that you read my message? That's only one of the three
scenarios that generates that log
the session because of an RBL.
Three, someone is probing to find out if an address is valid. I
you did not provide any log but lost connection after RCPT
means the client did not quit the smtp session properly and
so the client is broken
Are you sure that you read my message? That's only one
the session because of an RBL.
Three, someone is probing to find out if an address is valid. I
you did not provide any log but lost connection after RCPT
means the client did not quit the smtp session properly and
so the client is broken
Are you sure that you read my message? That's only one
the balance
of the session. Two, we reject the session because of an RBL.
Three, someone is probing to find out if an address is valid. I
you did not provide any log but lost connection after RCPT
means the client did not quit the smtp session properly and
so the client is broken
the session because of an RBL.
Three, someone is probing to find out if an address is valid. I
you did not provide any log but lost connection after RCPT
means the client did not quit the smtp session properly and
so the client is broken
Are you sure that you read my message? That's only one
connection after RCPT from ..ZZ
are you sure it's from localservers? not clients?
try to tcpdump to see if the connection termination comes from host or
other source.
tcpdump -X -i input_interface host Host_ip_address
to get some network information
Regards,
Eliezer
I keep searching
I run postfix server on ubuntu box for more than a year.
I use amavis-new for spam filtering.
After inspecting the log files I've noticed that, for a few mail servers
than try to send mails localy, there is a connection lost with message:
lost connection after RCPT from ..ZZ
I keep
We recently (within the last two weeks) started getting a very large
number of logs like this:
postfix/smtpd[29456]: lost connection after RCPT from
cel-broadband1-ws-72.dsl.airstreamcomm.net[64.33.198.73]
After doing packet traces it appears that the client is sending RST
packets to our server
On 2011-08-08 23:15, l...@airstreamcomm.net wrote:
We recently (within the last two weeks) started getting a very large
number of logs like this:
postfix/smtpd[29456]: lost connection after RCPT from
cel-broadband1-ws-72.dsl.airstreamcomm.net[64.33.198.73]
After doing packet traces it appears
On 8/8/2011 4:15 PM, l...@airstreamcomm.net wrote:
We recently (within the last two weeks) started getting a very large
number of logs like this:
postfix/smtpd[29456]: lost connection after RCPT from
cel-broadband1-ws-72.dsl.airstreamcomm.net[64.33.198.73]
After doing packet traces
On Mon, 08 Aug 2011 16:41:59 -0500, Noel Jones njo...@megan.vbhcs.org
wrote:
On 8/8/2011 4:15 PM, l...@airstreamcomm.net wrote:
We recently (within the last two weeks) started getting a very large
number of logs like this:
postfix/smtpd[29456]: lost connection after RCPT from
cel-broadband1
21 matches
Mail list logo