# Unnbekannte Postfix SMTP Submission Einträge in mail.log



## RJiH (9. Aug. 2015)

Hallo,
beim Durchlesen der Log-Files habe ich in der mail.log folgende Einträge gefunden:
---
Aug  9 13:24:07 myserver postfix/smtpd[10627]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug  9 13:24:07 myserver postfix/smtpd[10627]: connect from unknown[bar]
Aug  9 13:24:07 myserver postfix/smtpd[10627]: Anonymous TLS connection established from unknown[bar]: TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Aug  9 13:24:07 myserver postfix/smtpd[10627]: lost connection after CONNECT from unknown[bar]
Aug  9 13:24:07 myserver postfix/smtpd[10627]: disconnect from unknown[bar]
Aug  9 13:25:17 myserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=bar, lip=lip, TLS, session=<oFqoH98cCwBrljRU>
Aug  9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection rate 1/60s for (smtp:bar) at Aug  9 13:21:39
Aug  9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection count 1 for (smtp:bar) at Aug  9 13:21:39
Aug  9 13:27:27 myserver postfix/anvil[10623]: statistics: max cache size 1 at Aug  9 13:21:39
Aug  9 13:31:10 myserver postfix/smtpd[10631]: name_mask: ipv4
Aug  9 13:31:10 myserver postfix/smtpd[10631]: inet_addr_local: configured 2 IPv4 addresses
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: process generation: 216 (216)
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? debug_peer_list
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? fast_flush_domains
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? mynetworks
---
Darauf folgt eine komplette Ausgabe der Konfiguration (auch mysql-Datenbank Passwort und User). Weiter unten verbindet sich der unbekannte Server auch auf den Submission Port:
---
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: connect from unknown[bar]
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? 127.0.0.0/8
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? 127.0.0.0/8
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::ffff:127.0.0.0]/104
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::ffff:127.0.0.0]/104
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::1]/128
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::1]/128
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: auto_clnt_open: connected to private/anvil
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = connect
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr ident = submission:bar
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: status
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: count
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: count
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: rate
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: rate
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: (list terminator)
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 myserver.localdomain ESMTP Postfix
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: < unknown[bar]: STARTTLS
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 2.0.0 Ready to start TLS
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = seed
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr size = 32
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: status
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: seed
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: seed
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: seedvalue
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: (list terminator)
Aug  9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
---
Ich kenne mich leider mit SMTP Submission zu wenig aus und wollte zur Sicherheit euch fragen, ob hier irgendwas Sicherheit-relevantes passiert ist. Auch frage ich mich, warum Postfix dort die komplette Konfiguration ausgibt?
Der unbekannte Server übrigens gibt sich selbst als Internet Scanner à la ZMap aus.

Vielen Dank für eure Hilfe!


----------



## Till (10. Aug. 2015)

An sich macht submission das selbe wi port 25, man schränkt ihn meist nur auf tls only + smtp-auth ein. das so viel im log steht liegt möglicherweise an einer debug einstellung die nur für den submission port aktiv ist. Poste doch mal deine postfix master.cf.


----------



## RJiH (10. Aug. 2015)

Hier der Inhalt der master.cf:
---
smtp  inet  n  -  -  -  -  smtpd
pickup  unix  n  -  -  60  1  pickup
 -o content_filter=
  -o receive_override_options=no_header_body_checks
cleanup  unix  n  -  -  -  0  cleanup
qmgr  unix  n  -  n  300  1  qmgr
tlsmgr  unix  -  -  -  1000?  1  tlsmgr
rewrite  unix  -  -  -  -  -  trivial-rewrite
bounce  unix  -  -  -  -  0  bounce
defer  unix  -  -  -  -  0  bounce
trace  unix  -  -  -  -  0  bounce
verify  unix  -  -  -  -  1  verify
flush  unix  n  -  -  1000?  0  flush
proxymap  unix  -  -  n  -  -  proxymap
proxywrite unix -  -  n  -  1  proxymap
smtp  unix  -  -  -  -  -  smtp
relay  unix  -  -  -  -  -  smtp
showq  unix  n  -  -  -  -  showq
error  unix  -  -  -  -  -  error
retry  unix  -  -  -  -  -  error
discard  unix  -  -  -  -  -  discard
local  unix  -  n  n  -  -  local
virtual  unix  -  n  n  -  -  virtual
lmtp  unix  -  -  -  -  -  lmtp
anvil  unix  -  -  -  -  1  anvil
scache  unix  -  -  -  -  1  scache
maildrop  unix  -  n  n  -  -  pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -  n  n  -  -  pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail  unix  -  n  n  -  -  pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp  unix  -  n  n  -  -  pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -  n  n  -  2  pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman  unix  -  n  n  -  -  pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
amavis  unix  -  -  -  -  2  smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
127.0.0.1:10025 inet  n  -  -  -  -  smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

submission inet n  -  -  -  -  smtpd -v
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps  inet  n  -  -  -  -  smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous
---
Den Loglevel des Submission Ports stelle ich jetzt wieder auf normal um, danke für den Tipp! Hoffe, dass auch die master.cf richtig konfiguriert ist.


----------

