Home / server / Questions / 335983
Accepted
84104
Asked: 2011-11-30 13:08:16 +0800 CST

Postfix connection lost after AUTH

  • 772

Looking at the logs on my mailservers, I have noticed messages like the following:

Nov 29 12:09:38 mta postfix/smtpd[8362]: connect from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8362]: lost connection after AUTH from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8362]: disconnect from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8409]: connect from unknown[183.13.165.14]
Nov 29 12:09:40 mta postfix/smtpd[8409]: lost connection after AUTH from unknown[183.13.165.14]
Nov 29 12:09:40 mta postfix/smtpd[8409]: disconnect from unknown[183.13.165.14]

There are no SASL failures in these cases. There are SASL failures are logged at other times, but never with lost connection after AUTH.

What is happening here, and should I do any about it?
These are not MXs, and already have smtpd_client_connection_rate_limit set.

Possibly related:
The systems require either SMTPS or STARTTLS before AUTH is announced.

postfix

4 Answers

  1. My log files were getting filled up, and it's a waste of cpu to even allow a connection from these jerks. I created a fail2ban rule.

    Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]

    Contents of /etc/fail2ban/jail.conf

    [postfix]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 6
bantime  = 600
findtime = 600

    Contents of /etc/fail2ban/filter.d/postfix.conf

    # Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

# Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]

failregex = lost connection after AUTH from unknown\[<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
    • 22
  2. Best Answer

    This is a botnet from China connecting to your box trying to deliver Spam. But the bot is too stupid to know what to do when being told to authenticate itself. The bot just stops delivering mail and then disconnects for attacking the next victim.

    Absolutely nothing to worry about.

    • 8

  3. In smtpd_recipient_restrictions just set reject_unknown_client_hostname like this:

    smtpd_recipient_restrictions = reject_unknown_client_hostname

    and this will result in rejecting clients and stray or dumb zombie bots with unknown host names. You logs will look like this when set:

    postfix/smtpd[11111]: NOQUEUE: reject: RCPT from unknown[183.13.165.14]: 450 4.7.1 Client host rejected: cannot find your hostname, [183.13.165.14]
    • 4

  4. I'm not sure if there's much to be worried about, basically a client/'someone' is connecting, issuing AUTH and disconnecting on their own accord. It could be an attempt to probe server capabilities from a mail client - or an attempt to case the daemon.

    As long as you have sufficient security in place it's just another knock on the door from the world.

    • 2