Postfix connection lost after AUTH

postfix

Solution 1:

This is a botnet from China connecting to your box trying to deliver Spam. But the bot is too stupid to know what to do when being told to authenticate itself. The bot just stops delivering mail and then disconnects for attacking the next victim.

Absolutely nothing to worry about.

Solution 2:

My log files were getting filled up, and it's a waste of cpu to even allow a connection from these jerks. I created a fail2ban rule.

Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]

Contents of /etc/fail2ban/jail.conf

[postfix]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 6
bantime  = 600
findtime = 600

Contents of /etc/fail2ban/filter.d/postfix.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

# Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]

failregex = lost connection after AUTH from unknown\[<HOST>\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Solution 3:

In smtpd_recipient_restrictions just set reject_unknown_client_hostname like this:

smtpd_recipient_restrictions = reject_unknown_client_hostname

and this will result in rejecting clients and stray or dumb zombie bots with unknown host names. You logs will look like this when set:

postfix/smtpd[11111]: NOQUEUE: reject: RCPT from unknown[183.13.165.14]: 450 4.7.1 Client host rejected: cannot find your hostname, [183.13.165.14]

Solution 4:

I'm not sure if there's much to be worried about, basically a client/'someone' is connecting, issuing AUTH and disconnecting on their own accord. It could be an attempt to probe server capabilities from a mail client - or an attempt to case the daemon.

As long as you have sufficient security in place it's just another knock on the door from the world.

Related

Is there danger to virtualizing a router?
What is a ToD server, "Time of Day" (Not NTP)
How to securely join two networks together over the Internet?
How to convince management to deploy to Virtual Machines
phpMyAdmin: The additional features for working with linked tables have been deactivated
How to completely remove MySQL from Windows?
How to scroll back in screen within a ssh session from OS X? [closed]
How can I split my personal network (with WIFI) from my office network?
How do I use ufw to open ports on ipv4 only?
Save file after forgetting to open as root / sudo vi [duplicate]
How to dispose of old rack-mount servers?
Is it possible to filter top to show specific processes?