查看我的邮件服务器上的日志,我注意到如下消息:
Nov 29 12:09:38 mta postfix/smtpd[8362]: connect from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8362]: lost connection after AUTH from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8362]: disconnect from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8409]: connect from unknown[183.13.165.14]
Nov 29 12:09:40 mta postfix/smtpd[8409]: lost connection after AUTH from unknown[183.13.165.14]
Nov 29 12:09:40 mta postfix/smtpd[8409]: disconnect from unknown[183.13.165.14]
在这些情况下,没有 SASL 故障。其他时候会记录 SASL 故障,但从不会记录lost connection after AUTH。
这是怎么回事?我应该做些什么吗?
这些不是 MX,而且已经smtpd_client_connection_rate_limit设置好了。
可能相关:
系统在宣布 AUTH 之前需要 SMTPS 或 STARTTLS。
答案1
这是来自中国的僵尸网络,它连接到您的邮箱试图发送垃圾邮件。但是当被要求验证身份时,该僵尸网络太笨了,根本不知道该怎么做。该僵尸网络只是停止发送邮件,然后断开连接以攻击下一个受害者。
绝对没有什么可担心的。
答案2
我的日志文件已经满了,甚至允许这些混蛋建立连接也浪费 CPU。我创建了一条fail2ban规则。
Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]
内容/etc/fail2ban/jail.conf
[postfix]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 6
bantime = 600
findtime = 600
内容/etc/fail2ban/filter.d/postfix.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]
failregex = lost connection after AUTH from unknown\[<HOST>\]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
答案3
只需像这样smtpd_recipient_restrictions设置:reject_unknown_client_hostname
smtpd_recipient_restrictions = reject_unknown_client_hostname
这将导致拒绝客户端和具有未知主机名的流浪或愚蠢的僵尸机器人。设置后,您的日志将如下所示:
postfix/smtpd[11111]: NOQUEUE: reject: RCPT from unknown[183.13.165.14]: 450 4.7.1 Client host rejected: cannot find your hostname, [183.13.165.14]
答案4
我不确定是否有什么值得担心的,基本上是客户端/“某人”在自行连接、发出 AUTH 并断开连接。这可能是试图从邮件客户端探测服务器功能 - 或试图对守护进程进行攻击。
只要你有足够的安全措施,这只是来自世界的另一次敲门声。