14

Looking at the logs on my mailservers, I have noticed messages like the following:

Nov 29 12:09:38 mta postfix/smtpd[8362]: connect from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8362]: lost connection after AUTH from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8362]: disconnect from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8409]: connect from unknown[183.13.165.14]
Nov 29 12:09:40 mta postfix/smtpd[8409]: lost connection after AUTH from unknown[183.13.165.14]
Nov 29 12:09:40 mta postfix/smtpd[8409]: disconnect from unknown[183.13.165.14]

There are no SASL failures in these cases. There are SASL failures are logged at other times, but never with lost connection after AUTH.

What is happening here, and should I do any about it?
These are not MXs, and already have smtpd_client_connection_rate_limit set.

Possibly related:
The systems require either SMTPS or STARTTLS before AUTH is announced.

84104
  • 12,905
  • 6
  • 45
  • 76
  • Can you increase the debug level of postfix? – Khaled Nov 29 '11 at 21:13
  • I can, but that will grow the log files at a considerably higher rate, and these events are sporadic. What will this increased logging help to disambiguate? – 84104 Nov 29 '11 at 21:17
  • 1
    So, you need to increase it for a small period of time and when you expect to get this error. This hopefully gives more hints on what this error means. – Khaled Nov 29 '11 at 21:22

4 Answers4

22

My log files were getting filled up, and it's a waste of cpu to even allow a connection from these jerks. I created a fail2ban rule.

Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]

Contents of /etc/fail2ban/jail.conf

[postfix]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 6
bantime  = 600
findtime = 600

Contents of /etc/fail2ban/filter.d/postfix.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

# Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]

failregex = lost connection after AUTH from unknown\[<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
the7erm
  • 321
  • 2
  • 3
  • 3
    This saved my day. I added the following rule : `failregex = ^%(__prefix_line)slost connection after AUTH from \S+\[\].$`. I had many hundreds of such connection attempts in a few minutes. I had to do something about it. – chmike Feb 15 '16 at 16:19
  • 1
    This is a bit more generic: `failregex = lost connection after AUTH from (.*)\[\]` – CubicleSoft Jun 20 '16 at 12:55
  • @chmike: The dot before the ending `$` must be removed. Didn't work here with it in the regex. – cweiske Dec 14 '17 at 08:42
  • @CubicleSoft wouldn't you want to be as much specific as possible when writing regexes ? – ychaouche Apr 05 '22 at 13:48
  • Not necessarily. You are interested in the specific string "lost connection after AUTH from " followed by some random hostname string followed by the IP address of the host in brackets. The hostname portion is simply ignored. If you want to be more optimal, you could do something like: `failregex = lost connection after AUTH from [^\[]*\[\]` – CubicleSoft Apr 05 '22 at 15:51
8

This is a botnet from China connecting to your box trying to deliver Spam. But the bot is too stupid to know what to do when being told to authenticate itself. The bot just stops delivering mail and then disconnects for attacking the next victim.

Absolutely nothing to worry about.

mailq
  • 17,023
  • 2
  • 37
  • 69
  • 4
    Close enough. It seems that it's some sort of script that issues AUTH and exits uncleanly after receiving `503 5.5.1 Error: authentication not enabled`. Was able to replicate with ncat. Though why it keeps trying until it hits the rate limit is beyond me. Maybe it's trying to brute force username/password pairs? Either way, too stupid too worry about. – 84104 Dec 01 '11 at 00:51
  • 2
    As a test, I only get this line in my logs and never see any SASL failures just using Thunderbird and an invalid password for a known account. Since authenticated mail always passes through Postfix unhindered, the correct answer is, if possible, to use the posted fail2ban script to keep the number of brute force attempts to a minimum. Brute force password attempts are something to absolutely be concerned about to avoid turning your box into an open relay - especially if this is the only line in your logs. – CubicleSoft Jun 20 '16 at 12:49
  • The logs look like he's getting one a second, which could be someone trying to brute force the server, which IS something to worry about. I recommend using the fail2ban, at a minimum. It won't completely solve a brute force issue, but it will substantially mitigate it. – Severun Sep 16 '17 at 00:13
5

In smtpd_recipient_restrictions just set reject_unknown_client_hostname like this:

smtpd_recipient_restrictions = reject_unknown_client_hostname

and this will result in rejecting clients and stray or dumb zombie bots with unknown host names. You logs will look like this when set:

postfix/smtpd[11111]: NOQUEUE: reject: RCPT from unknown[183.13.165.14]: 450 4.7.1 Client host rejected: cannot find your hostname, [183.13.165.14]
sebix
  • 4,313
  • 2
  • 29
  • 47
Mister
  • 59
  • 1
  • 1
2

I'm not sure if there's much to be worried about, basically a client/'someone' is connecting, issuing AUTH and disconnecting on their own accord. It could be an attempt to probe server capabilities from a mail client - or an attempt to case the daemon.

As long as you have sufficient security in place it's just another knock on the door from the world.

thinice
  • 4,716
  • 21
  • 38