Unauthorized access postfix "lost connection after MAIL from unknown[127.0.0.1] "

Question

Someone or "something" is trying to access the server.

my postfix log showed:

mx2 postfix/smtpd[*****]: lost connection after MAIL from unknown[127.0.0.1]

My concern is why is it from the localhost? and I just can't figure it out with "after MAIL" means.

Yes, but what I've got is only "lost connection after EHLO, AUTH & CONNECT", this is the first time I saw a postfix log with after MAIL. — zapdos3, Apr 24 '20 at 05:54

score 2 · Accepted Answer · answered Apr 20 '20 at 14:41

My concern is why is it from the localhost?

That is impossible for us to say. Very possibly you have an automated process on your system that tried to send mail. Alternately, something like an FTP bounce attack could be used to make a local SMTP connection. But there's really no info here for us to help you track it down.

I just can't figure it out with "after MAIL" means.

This, at least, is simple. The SMTP protocol consists of a series of commands: HELO or EHLO, MAIL FROM, RCPT TO, DATA, QUIT. The log entry "after MAIL" means that the connection said HELO and then said MAIL FROM: <user@example.org>. The client then disconnected, so Postfix is telling you, literally, they disconnected after the MAIL command. No mail would have been sent due to the aborted connection.

Unauthorized access postfix "lost connection after MAIL from unknown[127.0.0.1] "

1 Answers1