DevHeads.net

Postfix/smtp/smtpd

Hello everybody,

I was wondering if anybody could advise please, on what does this log entry
mean postfix/smtp/smtpd? I know postfix/smtp is to send mails out to the
world, postfix/smtpd stands for daemon that rules out deliveries for
incoming mail. What about postfix/smtp/smtpd? Is it something in between
incoming and outgoing messages? Does it perhaps mean that some clients try
to connect to my 465 port? If that is the case then do they try to send or
receive here? Would appreciate any pointers from experts. Many thanks in
advance!

Comments

Re: Postfix/smtp/smtpd

By Wietse Venema at 04/01/2018 - 09:49

postfix = syslog_name setting in main.cf
smtp = name of the master.cf entry
smtpd = name of the executable file.

Examples that differ only in the name of the master.cf entry:
postfix/smtp/smtpd
postfix/smtps/smtpd
postfix/submission/smtpd

More examples that differ only in the name of the master.cf entry:
postfix/smtp/smtp
postfix/relay/smtp

Without some clue about the master.cf entry, troubleshooting
can be harder than it needs to be.

Wietse

Re: Postfix/smtp/smtpd

By Den1 at 04/01/2018 - 13:29

Wietse Venema wrote
Thank you so much for replying, Wietse. Appreciate.

Well, my master.cf looks like this. Hope it will help to throw some more
light upon what my postfix/smtp/smtpd log entry may mean. Clients trying to
login and send?

smtpd pass - - - - - smtpd -o
content_filter=spamassassin
smtp inet n - - - 1 postscreen
dnsblog unix - - - - 0 dnsblog
tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup fifo n - - 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
dovecot unix - n n - - pipe
flags=DRhu user=mmail:mmail argv=/usr/lib/dovecot/deliver -d ${recipient}
dovecot-spamass unix - n n - - pipe
flags=DRhu user=mmail:mmail argv=/usr/bin/spamc -u ${recipient} -e
/usr/lib/dovecot/deliver -d ${recipient}
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
policy-spf unix - n n - - spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
policyd-spf-perl_time_limit = 3600
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender}
${recipient}
procmail unix - n n - - pipe
flags=DROhu user=mmail argv=/usr/bin/procmail -t -m USER=${user}
EXTENSION=${extension} NEXTHOP=${nexthop} /etc/postfix/procmailrc.common

Re: Postfix/smtp/smtpd

By Wietse Venema at 04/01/2018 - 13:52

No logfile record, no support.

Wietse

Re: Postfix/smtp/smtpd

By Den1 at 04/01/2018 - 14:48

Wietse Venema wrote
Here is an extract from the log. Thank you.

Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from
scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from
scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from
scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection
established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection
established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection
established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT
from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from
scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT
from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from
scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT
from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from
scan-7.security.ipip.net[106.186.113.132]

here is another one:

Mar 28 22:12:25 postfix/smtps/smtpd[5713]: warning: hostname
vps147579.trouble-free.net does not resolve to address 174.138.189.116: Name
or service not known
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: connect from
unknown[174.138.189.116]
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: SSL_accept error from
unknown[174.138.189.116]: lost connection
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: lost connection after CONNECT
from unknown[174.138.189.116]
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: disconnect from
unknown[174.138.189.116]
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: warning: hostname
vps147579.trouble-free.net does not resolve to address 174.138.189.116: Name
or service not known
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: connect from
unknown[174.138.189.116]
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: SSL_accept error from
unknown[174.138.189.116]: lost connection
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: lost connection after CONNECT
from unknown[174.138.189.116]
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: disconnect from
unknown[174.138.189.116]
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: warning: hostname
vps147579.trouble-free.net does not resolve to address 174.138.189.116: Name
or service not known
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: connect from
unknown[174.138.189.116]
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: SSL_accept error from
unknown[174.138.189.116]: lost connection
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: lost connection after CONNECT
from unknown[174.138.189.116]
Mar 28 22:12:25 postfix/smtps/smtpd[5713]: disconnect from
unknown[174.138.189.116]
Mar 28 22:12:26 postfix/smtps/smtpd[5713]: warning: hostname
vps147579.trouble-free.net does not resolve to address 174.138.189.116: Name
or service not known

Re: Postfix/smtp/smtpd

By Wietse Venema at 04/01/2018 - 15:05

Postfix does not support three concurrent connections to the same
SMTP server process, so that looks like a logging infrastrucure
that logs the same event three times to the same file.

More logfile duplication.

More duplication.

Someone is scanning mail servers, for good or evil purposes.

Welcome to the Internet. If you have not looked at Postfix logs
before, then you may be surprised at the amount of noise.

Wietse

Re: Postfix/smtp/smtpd

By Viktor Dukhovni at 04/01/2018 - 15:09

Or just the disconnect events not logged, or log data re-ordered.

Re: Postfix/smtp/smtpd

By Wietse Venema at 04/01/2018 - 15:17

Viktor Dukhovni:
The time stamps were distinct for connect, TLS handshake, and
disconnect. But it is possible that the poster omitted other handshake
and diconnect records between the ones that were posted.

Wietse

Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:27 postfix/smtps/smtpd[4797]: connect from scan-7.security.ipip.net[106.186.113.132]

Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 30 05:25:29 postfix/smtps/smtpd[4797]: Anonymous TLS connection established from scan-7.security.ipip.net[106.186.113.132]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: lost connection after CONNECT from scan-7.security.ipip.net[106.186.113.132]
Mar 30 05:25:32 postfix/smtps/smtpd[4797]: disconnect from scan-7.security.ipip.net[106.186.113.132]

Re: Postfix/smtp/smtpd

By Viktor Dukhovni at 04/01/2018 - 16:58

You're right, that sure looks logging in triplicate.

Re: Postfix/smtp/smtpd

By Den1 at 04/01/2018 - 15:54

Thank you all for replying. I really do appreciate your input.

When the first extract from the log is pretty obvious as it says scan, the
second one is not really clear to me. Did the client try to connect in order
to send mail? Does postfix/smtp/smtpd mean sending out? I just assume it but
I am not sure. For example when mail arrives I see postfix/smtpd when it
goes out I see postfix/submission/smtpd and this is understandable, but
seeing postfifix/smtp/smtpd makes me confused a little...

Re: Postfix/smtp/smtpd

By Bill Cole at 04/01/2018 - 16:19

Look closer.

Neither postfix/smtp/smtpd nor postfifix/smtp/smtpd appear in the log
lines you posted.

What IS there is 'postfix/smtps/smtpd', which indicates connections to
your port 465 "wrappermode" instance of smtpd.

Re: Postfix/smtp/smtpd

By Den1 at 04/01/2018 - 16:48

Bill Cole-3 wrote
That's right, Bill. That's a nice observation. Thanks.

Plus, this is also exactly what I was asking about in my very first /
initial post. That is if postfix/smtps/smtpd meant connections to my 465
port. /Quote,/ "Does it perhaps mean that some clients try to connect to my
465 port?" /Unquote./ Now it's utmost clear! Thank you so much everybody for
your help!

Re: Postfix/smtp/smtpd

By Wietse Venema at 04/01/2018 - 17:01

No, you asked about "postfix/smtp/smtpd" not "postfix/smtps/smtpd".

I was wondering if anybody could advise please, on what does
this log entry mean postfix/smtp/smtpd? I know postfix/smtp is
to send mails out to the...

Are you a troll?

Wietse

Re: Postfix/smtp/smtpd

By Den1 at 04/01/2018 - 17:46

Wietse Venema wrote
No, I am not. I said that is /*also*/ what I was asking about. That is I
asked about both. My apologies I did not make myself clear enough.