Postfix connection lost after AUTH

Solution 1:

This is a botnet from China connecting to your box trying to deliver Spam. But the bot is too stupid to know what to do when being told to authenticate itself. The bot just stops delivering mail and then disconnects for attacking the next victim.

Absolutely nothing to worry about.

Solution 2:

My log files were getting filled up, and it's a waste of cpu to even allow a connection from these jerks. I created a fail2ban rule.

Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]

Contents of /etc/fail2ban/jail.conf

[postfix]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 6
bantime  = 600
findtime = 600

Contents of /etc/fail2ban/filter.d/postfix.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

# Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]

failregex = lost connection after AUTH from unknown\[<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

Solution 3:

In smtpd_recipient_restrictions just set reject_unknown_client_hostname like this:

smtpd_recipient_restrictions = reject_unknown_client_hostname

and this will result in rejecting clients and stray or dumb zombie bots with unknown host names. You logs will look like this when set:

postfix/smtpd[11111]: NOQUEUE: reject: RCPT from unknown[183.13.165.14]: 450 4.7.1 Client host rejected: cannot find your hostname, [183.13.165.14]

Solution 4:

I'm not sure if there's much to be worried about, basically a client/'someone' is connecting, issuing AUTH and disconnecting on their own accord. It could be an attempt to probe server capabilities from a mail client - or an attempt to case the daemon.

As long as you have sufficient security in place it's just another knock on the door from the world.