I'm running a mailserver based on postfix. There are a lot of connection failures like this:
Transcript of session follows.
Out: 220 hostname.tld ESMTP Postfix
In: .
Out: 502 5.5.2 Error: command not recognized
In:
Out: 500 5.5.2 Error: bad syntax
Session aborted, reason: lost connection
These connections come from different IPs, but in most cases in/as a bulk of a few tenths to hundreds attempts per IP.
What causes these connections? If this were viruses, worms or botnets that are "knocking on the door", why so many multiple times per host? Or is sending a single dot some kind of functionality test and my server reacts in the wrong way? Again, multiple tries make no sense. And it's far away from any DoS scale.
Maybe some of you know what's going on there?
答案1
The dot is used to terminate the message of an email in the SMTP protocol: An empty line (CR, LF), followed by single dot and again a newline with CR and LF. But this is clearly not the case here.
To find out if these SMTP-clients are just botnets or legitimate senders, you can have a look at the PTR of their IPs, they are both logged. If the PTR is a generic one from a provider, something like 192-0-2-1.broadband.customers.example.com
. Then you can really ignore it and use fail2ban to block them.
The HELO should match the PTR, at least it's best practice. But if they are not similar, it's again probably a botnet.
In the other case, someone is maybe doing a scan on your server and probing for TLS protocols and ciphers.
To ban the clients after such requests, you can use fail2ban, which tempoarily blocks an IP after too many bad requests.
filter.d/postfix-syntax.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 502 5.5.2
reject: RCPT from (.*)\[<HOST>\]: 500 5.5.2
ignoreregex =
And add this to your jail.conf
:
[postfix-syntax]
enabled = true
port = smtp,ssmtp,submission
filter = postfix-syntax
logpath = /var/log/mail.log
maxretry = 10
答案2
If you have exposed you mail server to the Internet, expect most of the connections to be from spambots, and other illegitimate senders.
I would consider just matching rejects for any Errors in fail2ban. legitimate senders should rarely generate and error, and will retry later if they do get banned. I do some nasty things to suspected spammers, and it has been years since a legitimate sender has had problems other than delivery delays.
I use a few tests to check the legitimacy of senders:
- The IP is not listed in
zen.spamhaus.org
. (Includes a broad selection of dynamic IPs.) - The IP has a DNS
PTR
that passes rDNS. Rarely does legitimate mail not have aPTR
record, andrDNS
for the IP address almost always passes. - The name in the HELO/EHLO command is a Fully Qualified Domain Name (FQDN) that passess rDNS. With the exception of one large corporation, this almost always passes. Usually this this name is the same as used for the IP address.
- PTR 记录和 HELO 命令中的名称直接或为其父域通过 SPF HELO 验证。没有 SPF 记录的域也会通过,但不会获得可信度。这会阻止使用大型组织域来标识自己的垃圾邮件机器人。
我想使用 DKIM 进行验证,但很多发件人没有在 DNS 中正确发布他们的公钥。
如果您无法在连接仍处于打开状态时运行这些测试,请不要退回邮件,除非您可以验证发件人没有被欺骗。(我非常感谢联邦调查局、联合国、银行等提供的所有资金,但他们仍然没有兑现。)