Aug 5, 2024: iRedMail-1.7.1 has been released.

**pbf343** · 2017-05-23 18:39:09

pbf343
Member
Offline

Registered: 2013-05-30
Posts: 247

Topic: connections & fail2ban vs spam

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

CentOS, MySQL, iRedAdmin-Pro

Seeing connections similar to the below scenario from various IPs in the /var/log/maillog. I'm wondering what they indicate and/or if associated with an account breach?

May 23 00:08:21 mail02 postfix/smtpd[11381]: connect from unknown[132.245.70.197]
May 23 00:08:21 mail02 postfix/smtpd[11381]: Anonymous TLS connection established from unknown[132.245.70.197]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
May 23 00:08:21 mail02 postfix/smtpd[11381]: disconnect from unknown[132.245.70.197]
May 23 01:20:36 mail02 postfix/smtpd[15731]: connect from unknown[132.245.70.197]
May 23 01:20:36 mail02 postfix/smtpd[15731]: Anonymous TLS connection established from unknown[132.245.70.197]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
May 23 01:20:37 mail02 postfix/smtpd[15731]: disconnect from unknown[132.245.70.197]
May 23 02:20:43 mail02 postfix/smtpd[18888]: connect from unknown[132.245.70.197]
May 23 02:20:44 mail02 postfix/smtpd[18888]: Anonymous TLS connection established from unknown[132.245.70.197]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
May 23 02:20:44 mail02 postfix/smtpd[18888]: disconnect from unknown[132.245.70.197]
May 23 03:20:48 mail02 postfix/smtpd[27549]: connect from unknown[132.245.70.197]
May 23 03:20:48 mail02 postfix/smtpd[27549]: Anonymous TLS connection established from unknown[132.245.70.197]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
May 23 03:20:49 mail02 postfix/smtpd[27549]: disconnect from unknown[132.245.70.197]
May 23 04:20:56 mail02 postfix/smtpd[31188]: connect from unknown[132.245.70.197]
May 23 04:20:56 mail02 postfix/smtpd[31188]: Anonymous TLS connection established from unknown[132.245.70.197]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
May 23 04:20:56 mail02 postfix/smtpd[31188]: disconnect from unknown[132.245.70.197]
May 23 05:27:32 mail02 postfix/smtpd[2829]: connect from unknown[132.245.70.197]
May 23 05:27:33 mail02 postfix/smtpd[2829]: Anonymous TLS connection established from unknown[132.245.70.197]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
May 23 05:27:33 mail02 postfix/smtpd[2829]: disconnect from unknown[132.245.70.197]
May 23 06:28:24 mail02 postfix/smtpd[6565]: connect from unknown[132.245.70.197]
May 23 06:28:24 mail02 postfix/smtpd[6565]: Anonymous TLS connection established from unknown[132.245.70.197]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
May 23 06:28:24 mail02 postfix/smtpd[6565]: disconnect from unknown[132.245.70.197]

Shouldn't fail2ban stop these?
One IP had over 8000 connections.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2017-05-23 19:45:54

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: connections & fail2ban vs spam

This is normal smtp connection with TLS support. But connect and disconnect immediately is not usual.

**pbf343** · 2017-05-23 23:18:25

pbf343
Member
Offline

Registered: 2013-05-30
Posts: 247

Re: connections & fail2ban vs spam

ZhangHuangbin wrote:

This is normal smtp connection with TLS support. But connect and disconnect immediately is not usual.

Yes. However, over 8400 connections within 24 hours on a system this size from one IP makes me highly suspicious. How, or what, can be done to determine further information on these connections like a target address(es), breach in user account(s), etc.?

Thank you.

**ZhangHuangbin** · 2017-05-24 10:58:07

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: connections & fail2ban vs spam

Unfortunately, we don't have such tool to detect this situation and block the IP automatically.

**Waschl** · 2017-06-22 19:43:24

Waschl
Member
Offline

From: Germany
Registered: 2016-02-12
Posts: 12

Re: connections & fail2ban vs spam

You can add the IP to /etc/postfix/postscreen_access.cidr. That blocks the client but it has to be done manually.

**raz** · 2017-06-22 23:06:20

raz
Member
Offline

Registered: 2016-07-03
Posts: 59

Re: connections & fail2ban vs spam

i think you can add this line "disconnect from unknown[<HOST>\]" as failregex in /etc/fail2ban/filter.d/postfix.iredmail.conf.

but you will need to customize it a little.

Raz

**ZhangHuangbin** · 2017-06-23 02:15:09

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,088

Re: connections & fail2ban vs spam

raz wrote:

i think you can add this line "disconnect from unknown[<HOST>\]" as failregex in /etc/fail2ban/filter.d/postfix.iredmail.conf.

All clients with invalid or missed DNS record will match this rule. I don't think this is what you really want.

Aug 5, 2024: iRedMail-1.7.1 has been released.

connections & fail2ban vs spam

Posts: 7

1 Topic by pbf343 2017-05-23 18:39:09

Topic: connections & fail2ban vs spam

2 Reply by ZhangHuangbin 2017-05-23 19:45:54

Re: connections & fail2ban vs spam

3 Reply by pbf343 2017-05-23 23:18:25 (edited by pbf343 2017-05-23 23:19:15)

Re: connections & fail2ban vs spam

4 Reply by ZhangHuangbin 2017-05-24 10:58:07

Re: connections & fail2ban vs spam

5 Reply by Waschl 2017-06-22 19:43:24

Re: connections & fail2ban vs spam

6 Reply by raz 2017-06-22 23:06:20

Re: connections & fail2ban vs spam

7 Reply by ZhangHuangbin 2017-06-23 02:15:09

Re: connections & fail2ban vs spam

Posts: 7