Unnbekannte Postfix SMTP Submission Einträge in mail.log

RJiH

New Member
Hallo,
beim Durchlesen der Log-Files habe ich in der mail.log folgende Einträge gefunden:
---
Aug 9 13:24:07 myserver postfix/smtpd[10627]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug 9 13:24:07 myserver postfix/smtpd[10627]: connect from unknown[bar]
Aug 9 13:24:07 myserver postfix/smtpd[10627]: Anonymous TLS connection established from unknown[bar]: TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Aug 9 13:24:07 myserver postfix/smtpd[10627]: lost connection after CONNECT from unknown[bar]
Aug 9 13:24:07 myserver postfix/smtpd[10627]: disconnect from unknown[bar]
Aug 9 13:25:17 myserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=bar, lip=lip, TLS, session=<oFqoH98cCwBrljRU>
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection rate 1/60s for (smtp:bar) at Aug 9 13:21:39
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection count 1 for (smtp:bar) at Aug 9 13:21:39
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max cache size 1 at Aug 9 13:21:39
Aug 9 13:31:10 myserver postfix/smtpd[10631]: name_mask: ipv4
Aug 9 13:31:10 myserver postfix/smtpd[10631]: inet_addr_local: configured 2 IPv4 addresses
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: process generation: 216 (216)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? debug_peer_list
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? fast_flush_domains
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? mynetworks
---
Darauf folgt eine komplette Ausgabe der Konfiguration (auch mysql-Datenbank Passwort und User). Weiter unten verbindet sich der unbekannte Server auch auf den Submission Port:
---
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: connect from unknown[bar]
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? 127.0.0.0/8
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? 127.0.0.0/8
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::ffff:127.0.0.0]/104
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::ffff:127.0.0.0]/104
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::1]/128
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::1]/128
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: auto_clnt_open: connected to private/anvil
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = connect
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr ident = submission:bar
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: count
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: count
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: rate
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: rate
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: (list terminator)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 myserver.localdomain ESMTP Postfix
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: < unknown[bar]: STARTTLS
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 2.0.0 Ready to start TLS
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr size = 32
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: seedvalue
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: (list terminator)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
---
Ich kenne mich leider mit SMTP Submission zu wenig aus und wollte zur Sicherheit euch fragen, ob hier irgendwas Sicherheit-relevantes passiert ist. Auch frage ich mich, warum Postfix dort die komplette Konfiguration ausgibt?
Der unbekannte Server übrigens gibt sich selbst als Internet Scanner à la ZMap aus.

Vielen Dank für eure Hilfe!
 

Till

Administrator
An sich macht submission das selbe wi port 25, man schränkt ihn meist nur auf tls only + smtp-auth ein. das so viel im log steht liegt möglicherweise an einer debug einstellung die nur für den submission port aktiv ist. Poste doch mal deine postfix master.cf.
 

RJiH

New Member
Hier der Inhalt der master.cf:
---
smtp inet n - - - - smtpd
pickup unix n - - 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

submission inet n - - - - smtpd -v
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
---
Den Loglevel des Submission Ports stelle ich jetzt wieder auf normal um, danke für den Tipp! Hoffe, dass auch die master.cf richtig konfiguriert ist.
 

Werbung

Top