Unnbekannte Postfix SMTP Submission Einträge in mail.log

RJiH

New Member
#1
Hallo,
beim Durchlesen der Log-Files habe ich in der mail.log folgende Einträge gefunden:
---
Aug 9 13:24:07 myserver postfix/smtpd[10627]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug 9 13:24:07 myserver postfix/smtpd[10627]: connect from unknown[bar]
Aug 9 13:24:07 myserver postfix/smtpd[10627]: Anonymous TLS connection established from unknown[bar]: TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Aug 9 13:24:07 myserver postfix/smtpd[10627]: lost connection after CONNECT from unknown[bar]
Aug 9 13:24:07 myserver postfix/smtpd[10627]: disconnect from unknown[bar]
Aug 9 13:25:17 myserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=bar, lip=lip, TLS, session=<oFqoH98cCwBrljRU>
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection rate 1/60s for (smtp:bar) at Aug 9 13:21:39
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection count 1 for (smtp:bar) at Aug 9 13:21:39
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max cache size 1 at Aug 9 13:21:39
Aug 9 13:31:10 myserver postfix/smtpd[10631]: name_mask: ipv4
Aug 9 13:31:10 myserver postfix/smtpd[10631]: inet_addr_local: configured 2 IPv4 addresses
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: process generation: 216 (216)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? debug_peer_list
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? fast_flush_domains
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? mynetworks
---
Darauf folgt eine komplette Ausgabe der Konfiguration (auch mysql-Datenbank Passwort und User). Weiter unten verbindet sich der unbekannte Server auch auf den Submission Port:
---
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: connect from unknown[bar]
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? 127.0.0.0/8
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? 127.0.0.0/8
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::ffff:127.0.0.0]/104
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::ffff:127.0.0.0]/104
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::1]/128
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::1]/128
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: auto_clnt_open: connected to private/anvil
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = connect
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr ident = submission:bar
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: count
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: count
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: rate
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: rate
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: (list terminator)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 myserver.localdomain ESMTP Postfix
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: < unknown[bar]: STARTTLS
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 2.0.0 Ready to start TLS
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr size = 32
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: seedvalue
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: (list terminator)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
---
Ich kenne mich leider mit SMTP Submission zu wenig aus und wollte zur Sicherheit euch fragen, ob hier irgendwas Sicherheit-relevantes passiert ist. Auch frage ich mich, warum Postfix dort die komplette Konfiguration ausgibt?
Der unbekannte Server übrigens gibt sich selbst als Internet Scanner à la ZMap aus.

Vielen Dank für eure Hilfe!
 

Till

Administrator
#2
An sich macht submission das selbe wi port 25, man schränkt ihn meist nur auf tls only + smtp-auth ein. das so viel im log steht liegt möglicherweise an einer debug einstellung die nur für den submission port aktiv ist. Poste doch mal deine postfix master.cf.
 
#3
Hier der Inhalt der master.cf:
---
smtp inet n - - - - smtpd
pickup unix n - - 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

submission inet n - - - - smtpd -v
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
---
Den Loglevel des Submission Ports stelle ich jetzt wieder auf normal um, danke für den Tipp! Hoffe, dass auch die master.cf richtig konfiguriert ist.
 

Werbung