Unnbekannte Postfix SMTP Submission Einträge in mail.log

Dieses Thema im Forum "Server Administration" wurde erstellt von RJiH, 9. Aug. 2015.

  1. RJiH

    RJiH New Member

    Hallo,
    beim Durchlesen der Log-Files habe ich in der mail.log folgende Einträge gefunden:
    ---
    Aug 9 13:24:07 myserver postfix/smtpd[10627]: warning: hostname foo does not resolve to address bar: Name or service not known
    Aug 9 13:24:07 myserver postfix/smtpd[10627]: connect from unknown[bar]
    Aug 9 13:24:07 myserver postfix/smtpd[10627]: Anonymous TLS connection established from unknown[bar]: TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
    Aug 9 13:24:07 myserver postfix/smtpd[10627]: lost connection after CONNECT from unknown[bar]
    Aug 9 13:24:07 myserver postfix/smtpd[10627]: disconnect from unknown[bar]
    Aug 9 13:25:17 myserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=bar, lip=lip, TLS, session=<oFqoH98cCwBrljRU>
    Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection rate 1/60s for (smtp:bar) at Aug 9 13:21:39
    Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection count 1 for (smtp:bar) at Aug 9 13:21:39
    Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max cache size 1 at Aug 9 13:21:39
    Aug 9 13:31:10 myserver postfix/smtpd[10631]: name_mask: ipv4
    Aug 9 13:31:10 myserver postfix/smtpd[10631]: inet_addr_local: configured 2 IPv4 addresses
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: process generation: 216 (216)
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? debug_peer_list
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? fast_flush_domains
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? mynetworks
    ---
    Darauf folgt eine komplette Ausgabe der Konfiguration (auch mysql-Datenbank Passwort und User). Weiter unten verbindet sich der unbekannte Server auch auf den Submission Port:
    ---
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: warning: hostname foo does not resolve to address bar: Name or service not known
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: connect from unknown[bar]
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: smtp_stream_setup: maxtime=300 enable_deadline=0
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? 127.0.0.0/8
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? 127.0.0.0/8
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::ffff:127.0.0.0]/104
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::ffff:127.0.0.0]/104
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::1]/128
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::1]/128
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: auto_clnt_open: connected to private/anvil
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = connect
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr ident = submission:bar
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: status
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: count
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: count
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: rate
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: rate
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: (list terminator)
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 myserver.localdomain ESMTP Postfix
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: < unknown[bar]: STARTTLS
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 2.0.0 Ready to start TLS
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = seed
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr size = 32
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: status
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: seed
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: seed
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: seedvalue
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: (list terminator)
    Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
    ---
    Ich kenne mich leider mit SMTP Submission zu wenig aus und wollte zur Sicherheit euch fragen, ob hier irgendwas Sicherheit-relevantes passiert ist. Auch frage ich mich, warum Postfix dort die komplette Konfiguration ausgibt?
    Der unbekannte Server übrigens gibt sich selbst als Internet Scanner à la ZMap aus.

    Vielen Dank für eure Hilfe!
     
  2. Till

    Till Administrator

    An sich macht submission das selbe wi port 25, man schränkt ihn meist nur auf tls only + smtp-auth ein. das so viel im log steht liegt möglicherweise an einer debug einstellung die nur für den submission port aktiv ist. Poste doch mal deine postfix master.cf.
     
  3. RJiH

    RJiH New Member

    Hier der Inhalt der master.cf:
    ---
    smtp inet n - - - - smtpd
    pickup unix n - - 60 1 pickup
    -o content_filter=
    -o receive_override_options=no_header_body_checks
    cleanup unix n - - - 0 cleanup
    qmgr unix n - n 300 1 qmgr
    tlsmgr unix - - - 1000? 1 tlsmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    proxywrite unix - - n - 1 proxymap
    smtp unix - - - - - smtp
    relay unix - - - - - smtp
    showq unix n - - - - showq
    error unix - - - - - error
    retry unix - - - - - error
    discard unix - - - - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - - - - lmtp
    anvil unix - - - - 1 anvil
    scache unix - - - - 1 scache
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix - n n - 2 pipe
    flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman unix - n n - - pipe
    flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
    ${nexthop} ${user}
    amavis unix - - - - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    127.0.0.1:10025 inet n - - - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

    submission inet n - - - - smtpd -v
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    smtps inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_auth_only=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sasl_security_options=noanonymous,noplaintext
    -o smtpd_sasl_tls_security_options=noanonymous
    ---
    Den Loglevel des Submission Ports stelle ich jetzt wieder auf normal um, danke für den Tipp! Hoffe, dass auch die master.cf richtig konfiguriert ist.
     

Diese Seite empfehlen