2

I'm running a mailserver based on postfix. There are a lot of connection failures like this: 

Transcript of session follows.

Out: 220 hostname.tld ESMTP Postfix
In:  .
Out: 502 5.5.2 Error: command not recognized
In:
Out: 500 5.5.2 Error: bad syntax

Session aborted, reason: lost connection

These connections come from different IPs, but in most cases in/as a bulk of a few tenths to hundreds attempts per IP.

What causes these connections? If this were viruses, worms or botnets that are "knocking on the door", why so many multiple times per host? Or is sending a single dot some kind of functionality test and my server reacts in the wrong way? Again, multiple tries make no sense. And it's far away from any DoS scale.

Maybe some of you know what's going on there?

McJoey
  • 121
  • 2

2 Answers2

2

The dot is used to terminate the message of an email in the SMTP protocol: An empty line (CR, LF), followed by single dot and again a newline with CR and LF. But this is clearly not the case here.

To find out if these SMTP-clients are just botnets or legitimate senders, you can have a look at the PTR of their IPs, they are both logged. If the PTR is a generic one from a provider, something like 192-0-2-1.broadband.customers.example.com. Then you can really ignore it and use fail2ban to block them.

The HELO should match the PTR, at least it's best practice. But if they are not similar, it's again probably a botnet.

In the other case, someone is maybe doing a scan on your server and probing for TLS protocols and ciphers.

To ban the clients after such requests, you can use fail2ban, which tempoarily blocks an IP after too many bad requests.

filter.d/postfix-syntax.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 502 5.5.2
            reject: RCPT from (.*)\[<HOST>\]: 500 5.5.2
ignoreregex =

And add this to your jail.conf:

[postfix-syntax]
enabled  = true
port     = smtp,ssmtp,submission
filter   = postfix-syntax
logpath  = /var/log/mail.log
maxretry = 10
sebix
  • 4,175
  • 2
  • 25
  • 45
1

If you have exposed you mail server to the Internet, expect most of the connections to be from spambots, and other illegitimate senders.

I would consider just matching rejects for any Errors in fail2ban. legitimate senders should rarely generate and error, and will retry later if they do get banned. I do some nasty things to suspected spammers, and it has been years since a legitimate sender has had problems other than delivery delays.

I use a few tests to check the legitimacy of senders:

  • The IP is not listed in zen.spamhaus.org. (Includes a broad selection of dynamic IPs.)
  • The IP has a DNS PTR that passes rDNS. Rarely does legitimate mail not have a PTR record, and rDNS for the IP address almost always passes.
  • The name in the HELO/EHLO command is a Fully Qualified Domain Name (FQDN) that passess rDNS. With the exception of one large corporation, this almost always passes. Usually this this name is the same as used for the IP address.
  • The name from the PTR record and HELO command pass SPF HELO verification either directly or for their parent domain. Domains without SPF records also get a pass, but don't get credibility. This blocks spambots who identify themselves using the domain of a large organization.

I would like to use DKIM to validate, but a high percentage of senders don't properly publish their public key in DNS.

If you can't run these tests, while the connection is still open, do not bounce the message unless you can verify that the sender was not spoofed. (I do appreciate all the offers of money from the FBI, UN, banks, etc., but they still haven't delivered.)

BillThor
  • 27,354
  • 3
  • 35
  • 69