DevHeads.net

Postfix: Variable meanings table

Can someone tell me how I can get the meaning of these variables
(ehlo..commands) in the postfix log?
i.e:
1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 mail=1
rcpt=1 data=1 quit=1 commands=7
2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 mail=1
rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Thank you very much!!

Comments

Re: Postfix: Variable meanings table

By Wietse Venema at 08/09/2019 - 14:18

foo=x/y means that the client sent the 'foo' command 'y' times, and
that Postfix accepted 'x' of those conmmands. When 'x' and 'y' are
the same, Postfix shows only one.

These statistics make problems easy to diagnose. The command

$ grep auth=./ /var/log/maillog

will show spambots attempts to log in. Here is a typical result:

Aug 1 11:24:35 spike postfix/smtpd[26284]: disconnect from unknown[122.246.158.54] ehlo=1 auth=0/1 commands=1/2

Wietse

Re: Postfix: Variable meanings table

By manu19 at 08/09/2019 - 16:15

Thanks for the explanation, it has been very instructive.
Regards.

Re: Postfix: Variable meanings table

By Dominic Raferd at 08/10/2019 - 01:17

I have a fail2ban ban - quite active - based on this:

failregex = ^%(__prefix_line)sdisconnect from \S+\[<HOST>\] (ehlo|helo)=\d+
.*auth=0/\d

See also <a href="http://www.postfix.org/announcements/postfix-3.0.0.html" title="http://www.postfix.org/announcements/postfix-3.0.0.html">http://www.postfix.org/announcements/postfix-3.0.0.html</a>.
(I whitelist a few ips that are our own, or known to run auth tests).

Re: Postfix: Variable meanings table

By Phil Stracchino at 09/06/2019 - 10:30

On 8/10/19 2:17 AM, Dominic Raferd wrote:

Since you mention fail2ban, I've recently installed fail2ban on my mail
server with the intention of setting it up to detect brute-force login
attempts on the SMTP port and *remotely tell my firewall* to block the
offending IPs. But studying the fail2ban documentation I've so far
found, I cannot for the life of me figure out how to do this, though I
am assured by others that it is perfectly possible and should be
straightforwasrd to do.

Can anyone by chance point me to any documentation that explains how to
do this?

Re: Postfix: Variable meanings table

By LuKreme at 09/06/2019 - 13:03

On 6 Sep 2019, at 09:30, Phil Stracchino < ... at caerllewys dot net> wrote:
Not off hand, but what you are looking for on google is:

fail2ban "action.d”

(the quotes will force google to return results with action.d)

In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now).

Re: Postfix: Variable meanings table

By Phil Stracchino at 09/06/2019 - 13:25

On 9/6/19 2:03 PM, @lbutlr wrote:

Yeah, I've already had a browse through that, but it appears to me that
all of the prewritten actions assume you're talking to a *local*
firewall, and I don't know enough about fail2ban yet to feel confident
modifying it without something to work from.

I was *about to say* that every single document I've so far found seems
to assume a local firewall, but I just now stumbled across one with a
remote-firewall example that I think I can work with.

Re: Postfix: Variable meanings table

By B. Reino at 09/07/2019 - 11:55

On 06/09/2019 20.25, Phil Stracchino wrote:
I use a custom script (/usr/local/sbin/fail2ban_action.sh) to block a
given IP, from which I call nft to add the IP to a set,
by calling "nft $1 element inet filter fail2ban { $2 }" (where $1 is add
or delete and $2 is the IP).

If you want that action to happen on a remote system you could just
prepend "ssh <firewall>" to the command
(assuming that your local root can login as root to the firewall system
without user interaction..)

For reference, here is my /etc/fail2ban/action.d/local_block.conf:
[Definition]
actionban   = /usr/local/sbin/fail2ban_action.sh add <ip>
actionunban = /usr/local/sbin/fail2ban_action.sh delete <ip>
actioncheck =
actionstart =
actionstop =

[Init]

where in /etc/fail2ban/jail.local I have
..
banaction = local_block
..

Hope that helps!

Re: Postfix: Variable meanings table

By Dominic Raferd at 09/06/2019 - 10:54

For the general approach, see (for instance) the custom action section at
<a href="https://darrynvt.wordpress.com/tag/custom-fail2ban-actions/" title="https://darrynvt.wordpress.com/tag/custom-fail2ban-actions/">https://darrynvt.wordpress.com/tag/custom-fail2ban-actions/</a>

Re: Postfix: Variable meanings table

By Enrico Morelli at 08/09/2019 - 07:45

On Fri, 9 Aug 2019 03:32:20 -0700 (MST)

<a href="https://www.samlogic.net/articles/smtp-commands-reference.htm" title="https://www.samlogic.net/articles/smtp-commands-reference.htm">https://www.samlogic.net/articles/smtp-commands-reference.htm</a>