Every minute incoming, rejected connections to SMTP

I have a feeling my server is being lazily DDoS'ed, though, I have never experienced it before, so, I may be wrong.

Every minute, my journal logs the following 3 entries:

Nov 05 21:10:47 <host> postfix/smtpd[11220]: connect from webmail.onvoy.com[199.199.18.10]
Nov 05 21:10:47 <host> postfix/smtpd[11220]: NOQUEUE: reject: RCPT from webmail.onvoy.com[199.199.18.10]: 454 4.7.1 <tg@<DOMAIN>>: Relay access denied; from=<> to=<tg@<DOMAIN>> proto=ESMTP helo=<webmail.onvoy.com>
Nov 05 21:10:47 <host> postfix/smtpd[11220]: disconnect from webmail.onvoy.com[199.199.18.10]

Where <host> and <DOMAIN> are hidden. <DOMAIN>, though, is a domain registered with my NS that resolves to my box.

How do I get rid of the messages and the related connections?

joltmode

Posted 2013-11-05T21:23:46.710

Reputation: 609

Answers

Logs like this are part and parcel of running a public mail-server.

To deal with them, you can either just ignore them, or use an application like fail2ban to to add the offending IP(s) to the mailserver's local firewall, so the connections don't even reach the MTA.

One other option is to configure Postfix to check RBLs, SPFs etc and use client/sender/helo/etc restrictions to limit the clients you allow. In reality, "Relay access denied" should rarely happen if you have your server configured properly.

Addendum: The IP in question is listed in the SORBS blacklist.

Craig Watson

Posted 2013-11-05T21:23:46.710

Reputation: 1 150

One connection per minute does not sound at all like a DoS (much less a DDoS if it is coming from a single server).

On the other hand, it is almost entirely like a legitimate mail delivery attempt – the mail server at webmail.onvoy.com is trying to deliver a message (which may or may not be spam) to the address tg@<DOMAIN>.

4xx error codes are "transient negative", so the sending server is allowed to try again after a while – although normal mail servers typically start using longer intervals after a failure, and stop trying completely after a few days. So just wait a while and it should disappear.

"Relay access denied" just means that you haven't configured Postfix to handle mail for <DOMAIN>, therefore it thinks that it is being asked to forward the message to whoever is the domain's mail server. (To prevent spam, it never forwards by default.)

user1686

Posted 2013-11-05T21:23:46.710

Reputation: 283 655

It looks to me like you have Postfix installed but not configured to be authoritative for your domain. The sending server is attempting to send an email (probably spam) to an email address in your domain. Postfix, not being authoritative for the domain, sees that as an attempt to relay through it and drops the connection.

If you want Postfix to be authoritative for your domain then configure it as such. Then let whatever spam filtering capability it has (DNSRBL, etc.) deal with incoming spam.

If you don't want to run an email server for your domain on this server then remove Postfix and block incoming traffic to port 25 on your firewall/router.

joeqwerty

Posted 2013-11-05T21:23:46.710

Reputation: 5 259