So many errors in postfix

anuj9122 · January 21, 2023, 8:45am

SYSTEM INFORMATION
OS type and version	rhel9
Webmin version	2.011
Virtualmin version	7.5
Related packages	SUGGESTED

Postfix mail

Jan 21 14:08:14 projectok postfix/smtpd[44442]: connect from unknown[103.174.126.2]
Jan 21 14:08:17 projectok postfix/smtpd[38815]: connect from unknown[46.148.40.136]
Jan 21 14:08:21 projectok postfix/smtpd[44732]: connect from unknown[46.148.40.149]
Jan 21 14:08:23 projectok postfix/smtpd[38815]: warning: unknown[46.148.40.136]: SASL LOGIN authentication failed: authentication failure
Jan 21 14:08:23 projectok postfix/smtpd[38815]: lost connection after AUTH from unknown[46.148.40.136]
Jan 21 14:08:23 projectok postfix/smtpd[38815]: disconnect from unknown[46.148.40.136] ehlo=1 auth=0/1 rset=1 commands=2/3
Jan 21 14:08:26 projectok postfix/smtpd[40400]: connect from unknown[137.59.195.242]
Jan 21 14:08:26 projectok postfix/smtpd[40400]: SSL_accept error from unknown[137.59.195.242]: -1
Jan 21 14:08:26 projectok postfix/smtpd[40400]: warning: TLS library problem: error:0A000102:SSL routines::unsupported protocol:ssl/statem/statem_srvr.c:1657:
Jan 21 14:08:26 projectok postfix/smtpd[40400]: lost connection after CONNECT from unknown[137.59.195.242]
Jan 21 14:08:26 projectok postfix/smtpd[40400]: disconnect from unknown[137.59.195.242] commands=0/0
Jan 21 14:08:26 projectok postfix/smtpd[40400]: connect from unknown[137.59.195.242]
Jan 21 14:08:27 projectok postfix/smtpd[40400]: SSL_accept error from unknown[137.59.195.242]: -1
Jan 21 14:08:27 projectok postfix/smtpd[40400]: warning: TLS library problem: error:0A000102:SSL routines::unsupported protocol:ssl/statem/statem_srvr.c:1657:
Jan 21 14:08:27 projectok postfix/smtpd[40400]: lost connection after CONNECT from unknown[137.59.195.242]
Jan 21 14:08:27 projectok postfix/smtpd[40400]: disconnect from unknown[137.59.195.242] commands=0/0
Jan 21 14:08:27 projectok postfix/smtpd[38815]: warning: hostname fiber-190-55.online.com.kh does not resolve to address 124.248.190.55: Name or service not known
Jan 21 14:08:27 projectok postfix/smtpd[38815]: connect from unknown[124.248.190.55]
Jan 21 14:08:34 projectok postfix/smtpd[44732]: warning: unknown[46.148.40.149]: SASL LOGIN authentication failed: authentication failure
Jan 21 14:08:34 projectok postfix/smtpd[44732]: lost connection after AUTH from unknown[46.148.40.149]
Jan 21 14:08:34 projectok postfix/smtpd[44732]: disconnect from unknown[46.148.40.149] ehlo=1 auth=0/1 rset=1 commands=2/3

anuj9122 · January 21, 2023, 8:47am

How to solve all these?

It is a clean install. Mails are working fine. dkim, postgrey spf, and all options in dns options are enable by me

Randomz · January 21, 2023, 9:00am

You are under attack by kiddy amatuers. Not a lot you can do as the attacks will come from multiple IPs and repeats from the same IP won’t come often enough to trigger eg Fail2ban.

I am new to Postfix so can’t help, but on my Sendmail mail servers I use aggressive Real Time block lists to suppress this stuff as much as I can.

anuj9122 · January 21, 2023, 9:12am

How do you know i am under attack? For knowledge.

My last ubuntu server compromised by cryptominig malware.

Randomz · January 21, 2023, 12:48pm

Things like “connect from unknown” means that the IP has no reverse lookup.
IPs from the same network eg 46.148.40.136 and 46.148.40.149.
Red flag - “warning: hostname fiber-190-55.online.com.kh does not resolve to address 124.248.190.55: Name or service not known”
All connections were unsuccessful so they might have been trying random login details.
All those failed attempts happened over only 20 seconds.

So yeah, an attack.

stefan1959 · January 21, 2023, 9:51pm

its pretty normal, I did a test build yesterday. Within 5 minutes I had SSH connections trying to connect with all sorts of usernames. I’m testing ConfigServer Security & Firewall and its beening running 24 hours.

160 bans so far, pretty impressed with it.

Steve

Joe · January 21, 2023, 10:53pm

Welcome to the internet.

Abuse is rampant.

Fail2ban can block some of it.

Some of it is legitimate, however, and people just haven’t correctly configured their mail servers or DNS, so you probably wouldn’t want to block it all.

But, you’re never going to get rid of all of the noise. I recommend you learn a bit more about what it all means, so you’ll know what to ignore (until you need to track down a problem) and what is indicating a problem.

system · March 22, 2023, 10:54pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.