DevHeads.net

lost connection after RCPT

We recently (within the last two weeks) started getting a very large
number of logs like this:

postfix/smtpd[29456]: lost connection after RCPT from
cel-broadband1-ws-72.dsl.airstreamcomm.net[64.33.198.73]

After doing packet traces it appears that the client is sending RST
packets to our server, which doesn't make any sense?

Here is postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
bounce_queue_lifetime = 3d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 9
default_destination_recipient_limit = 1000
default_process_limit = 1000
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 52224000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = 3d
message_size_limit = 52224000
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = osmtp-1.airstreamcomm.net
mynetworks = $config_directory/mynetworks
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relayhost = omrcd1.parcel-airstreamcomm.net
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps = hash:/etc/postfix/sender_bcc_jatheon
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connect_timeout = 5m
smtp_data_done_timeout = 900s
smtp_data_init_timeout = 900s
smtp_data_xfer_timeout = 900s
smtp_helo_timeout = 900s
smtp_mail_timeout = 900s
smtp_tls_note_starttls_offer = yes
smtpd_client_event_limit_exceptions = static:all
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
check_recipient_access hash:/etc/postfix/restricted_recipients
check_client_access hash:/etc/postfix/popimap_access,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender, permit
smtpd_timeout = 180s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Comments

Re: lost connection after RCPT

By Noel Jones at 08/08/2011 - 16:41

On 8/8/2011 4:15 PM, <a href="mailto: ... at airstreamcomm dot net"> ... at airstreamcomm dot net</a> wrote:
It does if it's a crapware spambot.

Are these disconnects from legitimate clients you expect to receive
mail from? Although the above IP doesn't seem to be on any
blacklists right now, the hostname makes it highly suspicious.

At any rate, it sounds as if the problem is on the remote end; not a
postfix problem.

-- Noel Jones

Re: lost connection after RCPT

By list at 08/08/2011 - 20:36

On Mon, 08 Aug 2011 16:41:59 -0500, Noel Jones < ... at megan dot vbhcs.org>
wrote:
We found out our PIX had somehow freaked out and started applying
SMTP inspections that were causing SMTP connections to die prematurely.

Thanks for your advice!

Re: lost connection after RCPT

By Jeroen Geilman at 08/08/2011 - 16:28

On 2011-08-08 23:15, <a href="mailto: ... at airstreamcomm dot net"> ... at airstreamcomm dot net</a> wrote:
After how much time ?
What is the time elapsed between CONNECT and LOST CONNECTION ?
Does it always happen with that client ?
If so, ask them what they're doing wrong.

That is wayy to much default information; default values should not be
in main.cf.
Run
(postconf -d; postconf -d; postconf -n) | sort | uniq -u
to get a cleaner list without all your distro's defaults.