Hallo,
beim Durchlesen der Log-Files habe ich in der mail.log folgende Einträge gefunden:
---
Aug 9 13:24:07 myserver postfix/smtpd[10627]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug 9 13:24:07 myserver postfix/smtpd[10627]: connect from unknown[bar]
Aug 9 13:24:07 myserver postfix/smtpd[10627]: Anonymous TLS connection established from unknown[bar]: TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Aug 9 13:24:07 myserver postfix/smtpd[10627]: lost connection after CONNECT from unknown[bar]
Aug 9 13:24:07 myserver postfix/smtpd[10627]: disconnect from unknown[bar]
Aug 9 13:25:17 myserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=bar, lip=lip, TLS, session=<oFqoH98cCwBrljRU>
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection rate 1/60s for (smtp:bar) at Aug 9 13:21:39
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection count 1 for (smtp:bar) at Aug 9 13:21:39
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max cache size 1 at Aug 9 13:21:39
Aug 9 13:31:10 myserver postfix/smtpd[10631]: name_mask: ipv4
Aug 9 13:31:10 myserver postfix/smtpd[10631]: inet_addr_local: configured 2 IPv4 addresses
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: process generation: 216 (216)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? debug_peer_list
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? fast_flush_domains
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? mynetworks
---
Darauf folgt eine komplette Ausgabe der Konfiguration (auch mysql-Datenbank Passwort und User). Weiter unten verbindet sich der unbekannte Server auch auf den Submission Port:
---
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: connect from unknown[bar]
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? 127.0.0.0/8
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? 127.0.0.0/8
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::ffff:127.0.0.0]/104
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::ffff:127.0.0.0]/104
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::1]/128
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::1]/128
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: auto_clnt_open: connected to private/anvil
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = connect
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr ident = submission:bar
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: count
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: count
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: rate
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: rate
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: (list terminator)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 myserver.localdomain ESMTP Postfix
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: < unknown[bar]: STARTTLS
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 2.0.0 Ready to start TLS
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr size = 32
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: seedvalue
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: (list terminator)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
---
Ich kenne mich leider mit SMTP Submission zu wenig aus und wollte zur Sicherheit euch fragen, ob hier irgendwas Sicherheit-relevantes passiert ist. Auch frage ich mich, warum Postfix dort die komplette Konfiguration ausgibt?
Der unbekannte Server übrigens gibt sich selbst als Internet Scanner à la ZMap aus.
Vielen Dank für eure Hilfe!
beim Durchlesen der Log-Files habe ich in der mail.log folgende Einträge gefunden:
---
Aug 9 13:24:07 myserver postfix/smtpd[10627]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug 9 13:24:07 myserver postfix/smtpd[10627]: connect from unknown[bar]
Aug 9 13:24:07 myserver postfix/smtpd[10627]: Anonymous TLS connection established from unknown[bar]: TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Aug 9 13:24:07 myserver postfix/smtpd[10627]: lost connection after CONNECT from unknown[bar]
Aug 9 13:24:07 myserver postfix/smtpd[10627]: disconnect from unknown[bar]
Aug 9 13:25:17 myserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=bar, lip=lip, TLS, session=<oFqoH98cCwBrljRU>
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection rate 1/60s for (smtp:bar) at Aug 9 13:21:39
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max connection count 1 for (smtp:bar) at Aug 9 13:21:39
Aug 9 13:27:27 myserver postfix/anvil[10623]: statistics: max cache size 1 at Aug 9 13:21:39
Aug 9 13:31:10 myserver postfix/smtpd[10631]: name_mask: ipv4
Aug 9 13:31:10 myserver postfix/smtpd[10631]: inet_addr_local: configured 2 IPv4 addresses
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: process generation: 216 (216)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? debug_peer_list
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? fast_flush_domains
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_string: mynetworks ~? mynetworks
---
Darauf folgt eine komplette Ausgabe der Konfiguration (auch mysql-Datenbank Passwort und User). Weiter unten verbindet sich der unbekannte Server auch auf den Submission Port:
---
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: warning: hostname foo does not resolve to address bar: Name or service not known
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: connect from unknown[bar]
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: smtp_stream_setup: maxtime=300 enable_deadline=0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? 127.0.0.0/8
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? 127.0.0.0/8
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::ffff:127.0.0.0]/104
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::ffff:127.0.0.0]/104
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostname: unknown ~? [::1]/128
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_hostaddr: bar ~? [::1]/128
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: unknown: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: match_list_match: bar: no match
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: auto_clnt_open: connected to private/anvil
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = connect
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr ident = submission:bar
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: count
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: count
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: rate
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: rate
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 1
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/anvil: wanted attribute: (list terminator)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 myserver.localdomain ESMTP Postfix
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: < unknown[bar]: STARTTLS
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: > unknown[bar]: 220 2.0.0 Ready to start TLS
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr request = seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: send attr size = 32
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: status
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: 0
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: seed
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute value: seedvalue
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: private/tlsmgr: wanted attribute: (list terminator)
Aug 9 13:31:10 myserver postfix/submission/smtpd[10631]: input attribute name: (end)
---
Ich kenne mich leider mit SMTP Submission zu wenig aus und wollte zur Sicherheit euch fragen, ob hier irgendwas Sicherheit-relevantes passiert ist. Auch frage ich mich, warum Postfix dort die komplette Konfiguration ausgibt?
Der unbekannte Server übrigens gibt sich selbst als Internet Scanner à la ZMap aus.
Vielen Dank für eure Hilfe!