Hi everybody I use ISPConfig and now I have a lot of line as follow in my syslog file: postfix/smtpd[29337]: connect from pirate.census.shodan.io[71.6.146.185] postfix/smtpd[29337]: SSL_accept error from pirate.census.shodan.io[71.6.146.185]: -1 postfix/smtpd[29337]: warning: TLS library problem: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:1642: postfix/smtpd[29337]: lost connection after STARTTLS from pirate.census.shodan.io[71.6.146.185] The IP is an attacker source I'll really appreciate any help Thanks in advance
The attacker did not now password for the e-mail account, so the connection attempt failed. This is a good thing. You can use fail2ban to block the IP automatically after repeated attempts.
Thanks a lot. I already have used fail2ban as follow: /etc/fail2ban/jail.conf: [postfix-auth] enabled = true port = smtp,ssmtp filter = postfix-auth action = iptables[name=SMTP-auth, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 2 bantime = 36000 findtime = 300 and /etc/fail2ban/filter.d/postfix-auth.conf: # Fail2ban postfix-auth filter [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$ ignoreregex = but I fall into problem with postfix after 2-3 days. also I have same problem when add following line to main.cf file: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname, reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf I'll really appreciate any help Thanks in advance.
You do not say what problem. Again what problem? Maybe there is something wrong in that line. What changes did you make?
sorry, the problem is that I can't send or receive emails. when I remove these configurations, the problem solved.
If you don't post logfiles, there is nothing how we can help you. Start with "tail -f /var/log/mail.log" then try to send/receive an email and post the corresponding lines. [edit] if your fail2ban entry is correct, then your logfile is at /var/log/maillog [edit2] What do you want to achieve with that restrictions to smtpd_recipient_restrictions ? Those make no sense. Did you just copy something from the internet or do you understand what you are doing? http://www.postfix.org/SMTPD_ACCESS_README.html
Sorry for my incomplete explanation. I change "smtpd_recipient_restrictions" because I had a lot "connect from unknown [ IP address] " in maillog file. when I apply changes I have following line in maillog file: Oct 15 07:16:13 ns3092192 postfix/smtpd[23636]: warning: hostname ip-38-37.ZervDNS does not resolve to address 92.118.38.37: Name or service not known Oct 15 07:16:13 ns3092192 postfix/smtpd[23636]: connect from unknown[92.118.38.37] Oct 15 07:16:15 ns3092192 postfix/smtpd[23636]: disconnect from unknown[92.118.38.37] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Oct 15 07:16:42 ns3092192 postfix/submission/smtpd[30193]: connect from unknown[93.115.145.8] Oct 15 07:16:42 ns3092192 postfix/submission/smtpd[30193]: NOQUEUE: reject: CONNECT from unknown[93.115.145.8]: 554 5.7.1 <unknown[93.115.145.8]>: Client host rejected: Access denied; proto=SMTP and I can send/receive on emails. 93.115.145.8 is my private IP address for my office. after I change "smtpd_recipient_restrictions" to default, I can send and receive mail. Thanks for your help.
Well, the idea of a mail server (at least mine) is, that unknown computers can connect and leave an email. If you don't want mails you can block them, for sure. What is "standard setting", what do you change? You set the restrictions to "permit_sasl_authenticated" but it looks from the logs, like your client does not authenticate?
