DevHeads.net

Postfix "lost connection after DATA from unknown..." and ipfilter "-AF OUT" log message

Hi All,

This may be a weird one, and may be completely OT. If the latter:
Feel free to tell me to bugger off :)

System is FreeBSD 8.2, running ipfilter and
postfix-current-2.9.20111119,4.

Occasionally I see something like this from ipfilter in
/var/log/messages:

bge1 @0:24 b <my_outside_ip>,25 -> 89.73.201.168,36545 PR tcp len
20 40 -AR OUT

Looking in /var/log/maillog...

Dec 11 17:47:08 myhost postfix/smtpd[48290]: connect from
unknown[89.73.201.168]
Dec 11 17:47:10 myhost postfix/smtpd[48290]: NOQUEUE: reject:
RCPT from unknown[89.73.201.168]: 450 4.7.1 Client host
rejected: cannot find your reverse hostname, [89.73.201.168];
from=< ... at carloerbareactifs dot com> to=< ... at mydom dot ain>
proto=ESMTP helo=<89-73-201-168.dynamic.chello.pl>
Dec 11 17:47:11 myhost postfix/smtpd[48290]: lost connection
after DATA from unknown[89.73.201.168]
Dec 11 17:47:11 myhost postfix/smtpd[48290]: disconnect from
unknown[89.73.201.168]

This particular one occurred seven times in a row, in quick
succession.

I've searched on this *fairly* seriously and come up with nothing.
Anybody got any idea what this is?

Thanks,
Jim

Comments

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Sahil Tandon at 12/11/2011 - 19:41

Postfix sends a 450 response because your DNS server cannot find the
client's reverse hostname; following that, the client foolishly sends
DATA, to which Postfix responds with a 554. Finally, instead of
gracefully QUITing, the client drops the connection.

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/11/2011 - 20:32

On Sun, 11 Dec 2011 18:41:56 -0500

[snip]
I see. So the "odd" ipfilter message is probably as a result of the
client pulling the rug out from under the connection, as it were?

Thanks,
Jim

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Wietse Venema at 12/11/2011 - 19:35

Jim Seymour:
Why are you blocking outbound TCP RST?

Wietse

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Wietse Venema at 12/11/2011 - 21:03

Wietse Venema:
According to ipmon(8), -AR means the ACK and RST flags are set.
My question is why is your firewall blocking outbound ACK|RST?

Wietse

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/11/2011 - 23:57

On Sun, 11 Dec 2011 20:03:59 -0500 (EST)

The web is rotting my brain. I never thought to actually check, you
know, the manual page.

Good. Grief.

I'm using basically "canned" rulesets in my ipfilter setup. That is
the default deny at the end of bge1's output filters.

I must've messed-up, somewhere. I'll take a look in the morning.

Thanks, Wietse, Sahil, for the education.

Regards,
Jim

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/12/2011 - 09:02

On Sun, 11 Dec 2011 22:57:12 -0500

Looking at it with fresh eyes, fortified by a cup of coffee :), if I
messed-up, I'll be darned if I can see where. The firewall rules
related to this couldn't be more straight-forward:

.
.
.
pass out quick on bge1 proto tcp from any to any port = 25 keep state
.
.
.
block out log first quick on bge1 all

That's it.

Regards,
Jim

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Wietse Venema at 12/12/2011 - 09:24

James Seymour:
There are two stateful engines: the TCP stack and ipfilter.

With "keep state", ipfilter "remembers" the connection and lets
packets pass, up to the point that ipfilter believes the connection
no longer exists.

The TCP stack sends an outbound ACK|RST because it received *something*
on port 25. Your firewall should not have passed that. Perhaps you
don't have "flags S keep state" for inbound port 25 traffic.

Wietse

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/12/2011 - 09:45

On Mon, 12 Dec 2011 08:24:38 -0500 (EST)

[snip]
*nodding*

Understood.

Should not have passed it *incoming*, do you mean?

I do:

# SMTP to gateway
pass in quick on bge1 proto tcp from any to any port = 25 flags S
keep state

(The stuff all says "any" because there are only two devices in the
DMZ: The border router's "inside" interface and the firewall's
"outside" one. It's a true DMZ.)

Regards,
Jim

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Wietse Venema at 12/12/2011 - 10:11

James Seymour:
Indeed (assuming that ipfilter actually tracks state in the exact
same way as the TCP stack, which is an assumption that may not
be valid).

Wietse

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/12/2011 - 10:38

On Mon, 12 Dec 2011 09:11:26 -0500 (EST)

I think it's only happening with spammer/scammer attempts. I'll write
up a litte ad hoc script to reconcile the ipmon entries with the
maillog. If it's only abusive behaviour when which it happens, I don't
know as it's worth putting much time into?

Regards,
Jim

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/11/2011 - 20:15

On Sun, 11 Dec 2011 18:35:23 -0500 (EST)

[snip]
I am not, to the best of my knowledge.

There is a TCP control traffic rate limit in the border router, there
as a DoS prevention tactic, but that's it.

This doesn't happen all the time. It doesn't even happen often. Out
of nearly 6000 connections, today, there are 145 various "A.. OUT" and
"A.. OUT OOW" messages. Each of them occurs two-or-more times,
involving the same contacting IP.

Regards,
Jim

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/11/2011 - 20:30

On Sun, 11 Dec 2011 19:15:35 -0500

Clarification: That was to say that, when it occurs multiple times
in a row, it's the same IP trying over-and-over again in each set of
retries. A total of 17 unique IPs have been involved in such
occurrences today.

In fact: No client has tried less than twice in a row, most have
averaged around six tries. Some up to a dozen or more.

Regards,
Jim

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Reindl Harald at 12/11/2011 - 19:14

Am 12.12.2011 00:10, schrieb Jim Seymour:
why do you use "reject_unknown_reverse_client_hostname" if you do not
like the results of it?

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/11/2011 - 20:04

On Mon, 12 Dec 2011 00:14:08 +0100
Reindl Harald <h. ... at thelounge dot net> wrote:
[snip]
Why do you answer the question when you obviously have not read it?
(Or at least apparently not understood it.)

Regards,
Jim

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Reindl Harald at 12/11/2011 - 20:11

Am 12.12.2011 01:04, schrieb Jim Seymour:
wtf - i have read your log-snippet and explained you what
"cannot find your reverse hostname" means

what "bge1 @0:24 b <my_outside_ip>,25 -> 89.73.201.168,36545 PR tcp len"
means i have not commented since i am not a bsd-user, if this is your
only question so why do you post maillog-snippets?

Re: Postfix "lost connection after DATA from unknown..." and ipf

By Jim Seymour at 12/11/2011 - 20:19

On Mon, 12 Dec 2011 01:11:00 +0100

I know what "cannot find your reverse hostname" means.

To show the relationship between the information in the two logfiles.

If it was *purely* a FBSD or ipfilter question (which I allowed as
how it might actually be), I'd have asked in a FBSD or ipfilter forum.

Regards,
Jim