-1

There are several logs like below in my Postfix mail log:

Mar  9 06:01:10 postfix/smtpd[23043]: initializing the server-side TLS engine
Mar  9 06:01:10 postfix/smtpd[23043]: connect from mlxmail4.icicibank.com[203.27.235.122]
Mar  9 06:01:11 postfix/smtpd[23043]: setting up TLS connection from mlxmail4.icicibank.com[203.27.235.122]
Mar  9 06:01:11 postfix/smtpd[23043]: mlxmail4.icicibank.com[203.27.235.122]: TLS cipher list "ALL:+RC4:@STRENGTH"
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:before/accept initialization
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C0] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C0] (11 bytes => 11 (0xB))
Mar  9 06:01:11 postfix/smtpd[23043]: 0000 16 03 01 02 00 01 00 01|fc 03 03                 ........ ...
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4CE] (506 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4CE] (506 bytes => 506 (0x1FA))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: 0128 - <SPACES/NULLS>
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 read client hello B
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write server hello A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write certificate A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write key exchange A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write server done A
Mar  9 06:01:11 postfix/smtpd[23043]: write to 7FE9DE41E2C0 [7FE9DE4CBE80] (1567 bytes => 1567 (0x61F))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: 061c - <SPACES/NULLS>
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 flush data
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => 5 (0x5))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (134 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (134 bytes => 134 (0x86))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 read client key exchange A
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => 5 (0x5))
Mar  9 06:01:11 postfix/smtpd[23043]: 0000 14 03 03 00 01                                   .....
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (1 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (1 bytes => 1 (0x1))
Mar  9 06:01:11 postfix/smtpd[23043]: 0000 01                                               .
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => 5 (0x5))
Mar  9 06:01:11 postfix/smtpd[23043]: 0000 16 03 03 00 28                                   ....(
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (40 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (40 bytes => 40 (0x28))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 read finished A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write change cipher spec A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write finished A
Mar  9 06:01:11 postfix/smtpd[23043]: write to 7FE9DE41E2C0 [7FE9DE4CBE80] (51 bytes => 51 (0x33))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: 0030 d1 82 cb                                         ...
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 flush data
Mar  9 06:01:11 postfix/smtpd[23043]: Anonymous TLS connection established from mlxmail4.icicibank.com[203.27.235.122]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:12 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => 5 (0x5))
Mar  9 06:01:12 postfix/smtpd[23043]: 0000 17 03 03 00 35                                   ....5
Mar  9 06:01:12 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (53 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:12 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (53 bytes => 53 (0x35))
(some cipher text)
Mar  9 06:01:12 postfix/smtpd[23043]: Read 29 chars: EHLO mlxmail4.icicibank.com??
Mar  9 06:01:12 postfix/smtpd[23043]: Write 158 chars: 250-mail.xxx.com??250-PIPELINING??250
Mar  9 06:01:12 postfix/smtpd[23043]: write to 7FE9DE41E2C0 [7FE9DE4C6A13] (187 bytes => 187 (0xBB))
(some cipher text)
Mar  9 06:01:12 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))

What did mlxmail4.icicibank.com try to do? Did it want to send spam emails to my email account?

rei
  • 61
  • 1
  • 6
  • 1
    Who knows? All your log shows is that it connected to you. Post the rest of the log entries. – Michael Hampton Mar 16 '15 at 03:46
  • 1
    Repost [comment](http://serverfault.com/questions/672635/understanding-postfix-mail-log#comment823270_672635): "Have you accidentally increased the value of `smtpd_tls_loglevel`? Consider to set it to 0. Use this level if you want debug something, don't turn it on in daily production" – masegaloeh Mar 16 '15 at 03:50
  • @MichaelHampton The rest of log entries doesn't seem to be related to this one. I could see the other IPs tried to initialize connections (and failed), but mlxmail4.icicibank.com always repeated connections like above. – rei Mar 16 '15 at 03:54
  • @masegaloeh The `smtpd_tls_loglevel` was set to 4 several weeks ago and I set it 1 now (thanks to your reminder) because I don't want to completely disable logging activity. – rei Mar 16 '15 at 03:58
  • 1
    @masegaloeh If you want to see the SMTP conversation of a TLS encrypted connection, [you pretty much need this](http://serverfault.com/a/419829/126632). As you can see it's extremely verbose but sometimes nothing else will do. – Michael Hampton Mar 16 '15 at 04:07
  • @rei, that isn't **complete** log data. You need post all lines until maillog says the client `mlxmail4.icicibank.com` was *disconnected*. – masegaloeh Mar 16 '15 at 04:12
  • @masegaloeh After the lines above, I only saw statistics: max connection rate, max connection count, and cache size. No message that mentioned mlxmail4.icicibank.com was disconnected after that. – rei Mar 16 '15 at 04:25
  • What's the output of `grep 'postfix/smtpd[23043]' maillog`? – masegaloeh Mar 16 '15 at 04:28
  • @masegaloeh For 23043, that's exactly like the one that I posted above. Nothing else after `read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))` – rei Mar 16 '15 at 04:33
  • Hmm, that's strange. If there are no activity, [postfix should timeout](http://postfix.1071664.n5.nabble.com/timeout-after-ehlo-tp67041p67052.html) after [5 minutes of inactivity (by default)](http://www.postfix.org/postconf.5.html#smtpd_timeout). Try to view some logs around between 06:01:12 and 06:06:12 – masegaloeh Mar 16 '15 at 04:56
  • @masegaloeh The last line of that log is at 06:04:33, i.e. `statistics: max cache size 1 at Mar 9 06:01:10` – rei Mar 16 '15 at 05:44

1 Answers1

3

Based of your maillog and discussion in the comment above, looks like the SMTP client mlxmail4.icicibank.com was misbehaving. It doesn't respond after postfix EHLO reply

Mar  9 06:01:12 postfix/smtpd[23043]: Read 29 chars: EHLO mlxmail4.icicibank.com??
Mar  9 06:01:12 postfix/smtpd[23043]: Write 158 chars: 250-mail.xxx.com??250-PIPELINING??250

Should I pay attention with this strange behaviour?

Unless another client have the same symptom, then you have nothing to worry about. It isn't your postfix fault.

What did mlxmail4.icicibank.com try to do? Did it want to send spam emails to my email account?

Dunno. It hung up after when SMTP wasn't finished. But unlike your previous logs, no AUTH attempt from mlxmail4.icicibank.com. So, it's too early to conclude that this client wants to send email to your server.

Spam activity can be detected by grep-ping postfix statistic from anvil daemon. spammer tends to do mass emailing in short time.

Community
  • 1
masegaloeh
  • 18,236
  • 10
  • 57
  • 106