os logs de postfix mostram conexões duvidosas

1

Eu tenho conexões regulares de um IP que aparece na lista OpenBL e gostaria de entender o que ele faz.

Se ele falhasse na fase de autenticação, eu teria erros de autenticação (e ele seria banido pelo fail2ban).

Se conseguisse enviar mensagens, eu veria linhas de registro sobre mensagens sendo entregues.

Antes de fazer qualquer coisa, eu gostaria de entender o que está acontecendo.

Aqui está um log no modo verbose duplo (-v -v):

Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: all
Jun 19 16:27:21 localhost postfix/smtpd[12172]: inet_addr_local: configured 2 IPv4 addresses
Jun 19 16:27:21 localhost postfix/smtpd[12172]: inet_addr_local: configured 3 IPv6 addresses
Jun 19 16:27:21 localhost postfix/smtpd[12172]: process generation: 730 (730)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: mynetworks ~? debug_peer_list
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: mynetworks ~? fast_flush_domains
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: mynetworks ~? mynetworks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? debug_peer_list
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? fast_flush_domains
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? mynetworks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? permit_mx_backup_networks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? qmqpd_authorized_clients
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: relay_domains ~? smtpd_access_maps
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: relay_domains: no match
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: permit_mx_backup_networks ~? debug_peer_list
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: permit_mx_backup_networks ~? fast_flush_domains
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: permit_mx_backup_networks ~? mynetworks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks
Jun 19 16:27:21 localhost postfix/smtpd[12172]: connect to subsystem private/proxymap
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = open
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr table = unix:passwd.byname
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr flags = 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: flags
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: flags
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 16
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: (list terminator)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end)
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=fixed
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: proxy:unix:passwd.byname
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Compiled against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Run-time linked against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: hash:/etc/aliases
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Compiled against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Run-time linked against Berkeley DB: 5.1.29?
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: hash:/var/lib/mailman/data/aliases
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = open
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr table = pgsql:/etc/postfix/virtual-alias-maps.cf
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr flags = 0
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: flags 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: flags 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 16 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: (list terminator) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_proxy_open: connect to map=pgsql:/etc/postfix/virtual-alias-maps.cf status=0 server_flags=fixed 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: proxy:pgsql:/etc/postfix/virtual-alias-maps.cf 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Compiled against Berkeley DB: 5.1.29? 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: Run-time linked against Berkeley DB: 5.1.29? 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: hash:/var/lib/mailman/data/virtual-mailman 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = open 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr table = pgsql:/etc/postfix/virtual-mailbox-maps.cf 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr flags = 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: flags 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: flags 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 16 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/proxymap socket: wanted attribute: (list terminator) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_proxy_open: connect to map=pgsql:/etc/postfix/virtual-mailbox-maps.cf status=0 server_flags=fixed 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: dict_open: proxy:pgsql:/etc/postfix/virtual-mailbox-maps.cf 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? debug_peer_list 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? fast_flush_domains 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? mynetworks 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? permit_mx_backup_networks 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: smtpd_access_maps ~? smtpd_access_maps 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: unknown_helo_hostname_tempfail_action = defer_if_permit 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: unknown_address_tempfail_action = defer_if_permit 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: unverified_recipient_tempfail_action = defer_if_permit 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: unverified_sender_tempfail_action = defer_if_permit 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: auto_clnt_create: transport=local endpoint=private/tlsmgr 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: auto_clnt_open: connected to private/tlsmgr 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = seed 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr size = 32 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: seed 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: seed 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: BkwSErqQCehWb7QFIVoqNQDFcWGDIzh7N7jY0LHfZxM= 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: (list terminator) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = policy 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr cache_type = smtpd 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: cachable 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: cachable 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 1 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/tlsmgr: wanted attribute: (list terminator) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: fast_flush_domains ~? debug_peer_list 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_string: fast_flush_domains ~? fast_flush_domains 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: auto_clnt_create: transport=local endpoint=private/anvil 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: connection established 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: master_notify: status 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: resource 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: software
Jun 19 16:27:21 localhost postfix/smtpd[12172]: connect from s72-38-252-2.static.datacom.cgocable.net[72.38.252.2] 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: smtp_stream_setup: maxtime=300 enable_deadline=0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_hostname: s72-38-252-2.static.datacom.cgocable.net ~? 127.0.0.0/8 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_hostaddr: 72.38.252.2 ~? 127.0.0.0/8 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: auto_clnt_open: connected to private/anvil 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = connect 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr ident = smtp:72.38.252.2 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: count 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: count 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 1 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: rate 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: rate 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 1 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: (list terminator) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 220 domain.tld ESMTP Postfix (Debian/GNU) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_create: SASL service=smtp, realm=(null) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: noanonymous 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: Connecting 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: VERSION?1?1 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: name_mask: plaintext 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: SPID?11468 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: CUID?91 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: COOKIE?9df14148adb89ae414e824bc836238da 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_connect: auth reply: DONE 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: < s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: EHLO User 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-domain.tld 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-PIPELINING 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-SIZE 10240000 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-ETRN 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-STARTTLS 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-AUTH PLAIN 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-ENHANCEDSTATUSCODES 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250-8BITMIME 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 250 DSN 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: < s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: QUIT 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: > s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: 221 2.0.0 Bye 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_hostname: s72-38-252-2.static.datacom.cgocable.net ~? 127.0.0.0/8 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_hostaddr: 72.38.252.2 ~? 127.0.0.0/8 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: s72-38-252-2.static.datacom.cgocable.net: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: match_list_match: 72.38.252.2: no match 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr request = disconnect 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: send attr ident = smtp:72.38.252.2 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: status 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute value: 0 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: private/anvil: wanted attribute: (list terminator) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: input attribute name: (end) 
Jun 19 16:27:21 localhost postfix/smtpd[12172]: disconnect from s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]
Jun 19 16:27:21 localhost postfix/smtpd[12172]: master_notify: status 1
Jun 19 16:27:21 localhost postfix/smtpd[12172]: connection closed
Jun 19 16:27:26 localhost postfix/smtpd[12172]: proxymap stream disconnect
Jun 19 16:27:26 localhost postfix/smtpd[12172]: auto_clnt_close: disconnect private/tlsmgr stream

Obrigado por qualquer dica.

    
por Jérôme 24.06.2015 / 10:02

1 resposta

2

O cliente SMTP remoto nem sequer tenta autenticar e não faz nenhuma tentativa de enviar uma mensagem. Seu arquivo de log mostra que ele simplesmente SAIR depois de receber uma resposta para seu comando EHLO User :

< s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: EHLO User
...
< s72-38-252-2.static.datacom.cgocable.net[72.38.252.2]: QUIT

Eu suspeito que o cliente remoto esteja verificando algo específico na resposta ao seu comando EHLO (que deve ter um nome de domínio totalmente qualificado em vez de User ). Diferentes servidores SMTP respondem de maneira diferente a tais comandos, por exemplo, seu Postfix smtpd indica que ele suporta STARTTLS e AUTH PLAIN .

O comando EHLO em si é a extensão Extended SMTP do comando original% HELO do SMTP; Os servidores ESMTP respondem a ele com êxito (código 250 seguido de uma lista de recursos do servidor), falha (código 550) ou erro (código 500, 501, 502, 504 ou 421), dependendo de sua configuração.

O host remoto pode estar verificando uma resposta específica que indique o potencial de uma exploração que poderia ser usada. Se não receber essa indicação, simplesmente desiste.

Na minha experiência, há grandes variações em como as tentativas de quebra são "brutais"; alguns são mais sutis do que outros (presumivelmente para evitar atrair atenção indesejada para si mesmos).

Rejeitando comandos HELO inválidos

Se você aceitar conexões de muitos clientes SMTP diferentes, seria melhor não rejeitar o comando EHLO inválido sem um FQDN. Encontrei alguns clientes SMTP (em impressoras / scanners, software antigo do Windows que incluem funcionalidade de e-mail, etc.) que não enviavam nomes de domínio completos e formatados corretamente com o comando HELO / EHLO . A configuração padrão do Postfix fornecida pelo Red Hat Enterprise Linux 5 não restringe HELO de uso ou até mesmo exige isso.

Se você sabe que todos os clientes legítimos enviarão um HELO válido, ele poderá ajudar a reduzir o processamento usado para lidar tentei isso eu mesmo).

    
por 24.06.2015 / 10:40

Tags