我有来自 OpenBL 列表中出现的 IP 的常规连接,我想了解它的作用。
如果在身份验证阶段失败,我会收到身份验证错误(并且他将被 fail2ban 禁止)。
如果它成功发送消息,我将看到有关正在传送的消息的日志行。
在做任何事情之前,我想了解发生了什么。
这是双重详细模式(-v -v)的日志:
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: all
Jun 19 16:27:21 localhost postfix/smtpd[12172]: inet_addr_local: configured 2 IPv4 addresses
Jun 19 16:27:21 localhost postfix/smtpd[12172]: inet_addr_local: configured 3 IPv6 addresses
Jun 19 16:27:21 localhost postfix/smtpd[12172]: process generation: 730 (730)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: mynetworks ~? debug_peer_list
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: mynetworks ~? fast_flush_domains
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: mynetworks ~? mynetworks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? debug_peer_list
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? fast_flush_domains
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? mynetworks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? permit_mx_backup_networks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? qmqpd_authorized_clients
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? smtpd_access_maps
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: relay_domains: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: permit_mx_backup_networks ~? debug_peer_list
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: permit_mx_backup_networks ~? fast_flush_domains
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: permit_mx_backup_networks ~? mynetworks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: connect to subsystem private/proxymap
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = open
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr table = unix:passwd.byname
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr flags = 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: flags
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: flags
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 16
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: (list terminator)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=fixed
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: proxy:unix:passwd.byname
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Compiled against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Run-time linked against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: hash:/etc/aliases
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Compiled against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Run-time linked against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: hash:/var/lib/mailman/data/aliases
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = open
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr table = pgsql:/etc/postfix/virtual-alias-maps.cf
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr flags = 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: flags
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: flags
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 16
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: (list terminator)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_proxy_open: connect to map=pgsql:/etc/postfix/virtual-alias-maps.cf status=0 server_flags=fixed
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: proxy:pgsql:/etc/postfix/virtual-alias-maps.cf
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Compiled against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Run-time linked against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: hash:/var/lib/mailman/data/virtual-mailman
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = open
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr table = pgsql:/etc/postfix/virtual-mailbox-maps.cf
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr flags = 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: flags
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: flags
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 16
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: (list terminator)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_proxy_open: connect to map=pgsql:/etc/postfix/virtual-mailbox-maps.cf status=0 server_flags=fixed
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: proxy:pgsql:/etc/postfix/virtual-mailbox-maps.cf
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? debug_peer_list
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? fast_flush_domains
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? mynetworks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? permit_mx_backup_networks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? smtpd_access_maps
Jun 19 16:27:21 localhost postfix/smtpd[12172]: unknown_helo_hostname_tempfail_action = defer_if_permit
Jun 19 16:27:21 localhost postfix/smtpd[12172]: unknown_address_tempfail_action = defer_if_permit
Jun 19 16:27:21 localhost postfix/smtpd[12172]: unverified_recipient_tempfail_action = defer_if_permit
Jun 19 16:27:21 localhost postfix/smtpd[12172]: unverified_sender_tempfail_action = defer_if_permit
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: auto_clnt_create: transport=local endpoint=private/tlsmgr
Jun 19 16:27:21 localhost postfix/smtpd[12172]: auto_clnt_open: connected to private/tlsmgr
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = seed
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr size = 32
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: seed
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: seed
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: BkwSErqQCehWb7QFIVoqNQDFcWGDIzh7N7jY0LHfZxM=
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: (list terminator)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = policy
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr cache_type = smtpd
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: cachable
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: cachable
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 1
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: (list terminator)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: fast_flush_domains ~? debug_peer_list
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: fast_flush_domains ~? fast_flush_domains
Jun 19 16:27:21 localhost postfix/smtpd[12172]: auto_clnt_create: transport=local endpoint=private/anvil
Jun 19 16:27:21 localhost postfix/smtpd[12172]: connection established
Jun 19 16:27:21 localhost postfix/smtpd[12172]: master_notify: status 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: resource
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: software
Jun 19 16:27:21 localhost postfix/smtpd[12172]: connect from s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_hostname: s72-38-252-2.static.datacom.cgocable.net ~? 127.0.0.0/8
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_hostaddr: 72.38.252.2 ~? 127.0.0.0/8
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: auto_clnt_open: connected to private/anvil
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = connect
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr ident = smtp:72.38.252.2
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: count
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: count
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 1
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: rate
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: rate
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 1
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: (list terminator)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 220 domain.tld ESMTP Postfix (Debian/GNU)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: noanonymous
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: Connecting
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: VERSION?1?1
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: plaintext
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: SPID?11468
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: CUID?91
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: COOKIE?9df14148adb89ae414e824bc836238da
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: DONE
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
Jun 19 16:27:21 localhost postfix/smtpd[12172]: < s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: EHLO User
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-domain.tld
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-PIPELINING
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-SIZE 10240000
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-ETRN
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-STARTTLS
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-AUTH PLAIN
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-ENHANCEDSTATUSCODES
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-8BITMIME
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250 DSN
Jun 19 16:27:21 localhost postfix/smtpd[12172]: < s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: QUIT
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 221 2.0.0 Bye
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_hostname: s72-38-252-2.static.datacom.cgocable.net ~? 127.0.0.0/8
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_hostaddr: 72.38.252.2 ~? 127.0.0.0/8
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = disconnect
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr ident = smtp:72.38.252.2
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: (list terminator)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: disconnect from s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]
Jun 19 16:27:21 localhost postfix/smtpd[12172]: master_notify: status 1
Jun 19 16:27:21 localhost postfix/smtpd[12172]: connection closed
Jun 19 16:27:26 localhost postfix/smtpd[12172]: proxymap stream disconnect
Jun 19 16:27:26 localhost postfix/smtpd[12172]: auto_clnt_close: disconnect private/tlsmgr stream
谢谢任何提示。
答案1
远程 SMTP 客户端甚至不会尝试进行身份验证,也不会尝试发送消息。您的日志文件显示它在收到对其EHLO User命令的响应后就退出了:
< s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: EHLO User
...
< s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: QUIT
我怀疑远程客户端正在检查对其EHLO命令的响应中是否有特定的东西(应该有一个完全限定域名而不是User)。不同的 SMTP 服务器对此类命令的响应不同,例如,您的 Postfixsmtpd表示它支持STARTTLS和AUTH PLAIN。
命令EHLO本身是扩展 SMTP原始 SMTPHELO命令的扩展;ESMTP 服务器根据其配置,对其作出成功(代码 250 后跟服务器功能列表)、失败(代码 550)或错误(代码 500、501、502、504 或 421)的响应。
远程主机可能正在检查特定响应,该响应可能表明存在可以利用的漏洞。如果没有得到该指示,它就会放弃。
根据我的经验,破解尝试的“野蛮”程度存在很大差异;有些比其他的更微妙(大概是为了避免引起不必要的注意)。
拒绝无效的 HELO 命令
如果你要接受来自许多不同 SMTP 客户端的连接,那么最好不是拒绝没有 FQDN 的无效 EHLO 命令。我遇到过一些 SMTP 客户端(在打印机/扫描仪、包含邮件功能的旧 Windows 软件等上),它们没有使用HELO/EHLO命令发送格式正确、完全合格的域名。Red Hat Enterprise Linux 5 提供的默认 Postfix 配置不限制HELO使用,甚至不要求使用。
如果你知道所有合法的客户端都会发送一个有效HELO的可能有助于减少用于处理非法尝试的处理(我自己还没有尝试过)。