1 Topic by peter.romfeld.hk

  • peter.romfeld.hk
  • Member
  • Offline
  • Registered: 2014-01-07
  • Posts: 15

Topic: Security - maillogs

==== Required information ====
- iRedMail version: iRedMail-0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 12.04
- Related log if you're reporting an issue:
====
Hi,

I am new to mailserver and have two questions regarding logs and how to detect that the mailserver is compromised

I have seen in the mail.log that someone from russland tried to use my server as relay? :

Mar 22 11:11:30 mail postfix/smtpd[24096]: NOQUEUE: reject: RCPT from unknown[193.0.200.185]: 504 5.5.2 <NS>: Helo command rejected: need fully
-qualified hostname; from=<web@amazonaws.com> to=<smtpvalid123@gmail.com> proto=ESMTP helo=<NS>
Mar 22 11:11:31 mail postfix/smtpd[24096]: lost connection after RCPT from unknown[193.0.200.185]
Mar 22 11:11:31 mail postfix/smtpd[24096]: disconnect from unknown[193.0.200.185]
Mar 22 11:11:31 mail postfix/smtpd[24105]: connect from unknown[193.0.200.185]
Mar 22 11:11:34 mail postfix/smtpd[24105]: warning: unknown[193.0.200.185]: SASL login authentication failed: UGFzc3dvcmQ6
Mar 22 11:11:36 mail postfix/smtpd[24105]: NOQUEUE: reject: RCPT from unknown[193.0.200.185]: 504 5.5.2 <NS>: Helo command rejected: need fully
-qualified hostname; from=<www@amazonaws.com> to=<smtpvalid123@gmail.com> proto=ESMTP helo=<NS>

with several other names, at the end of this tries i had:

Mar 22 11:15:16 mail postfix/anvil[24104]: statistics: max connection rate 8/60s for (smtp:193.0.200.185) at Mar 22 11:07:59
Mar 22 11:15:16 mail postfix/anvil[24104]: statistics: max connection count 2 for (smtp:193.0.200.185) at Mar 22 11:07:00
Mar 22 11:15:16 mail postfix/anvil[24104]: statistics: max cache size 1 at Mar 22 11:07:00

what does this mean? has he finally successful connected to my mailserver? I dont have found anything suspicious in  /var/log/iredapd.log or others
with 'grep "sasl_username=" /var/log/mail.log|more' i see that only known ip's successful authenticated

which logs should i monitor to be sure that the mailserver doesnt got compromised, and what pattern i have to look for?

Thanks,
Peter

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Security - maillogs

peter.romfeld.hk wrote:

Mar 22 11:11:34 mail postfix/smtpd[24105]: warning: unknown[193.0.200.185]: SASL login authentication failed: UGFzc3dvcmQ6

It tries to authenticate with this username, but failed. it's a normal failed smtp login, not relay.

peter.romfeld.hk wrote:

with several other names, at the end of this tries i had:
Mar 22 11:15:16 mail postfix/anvil[24104]: statistics: max connection rate 8/60s for (smtp:193.0.200.185) at Mar 22 11:07:59
Mar 22 11:15:16 mail postfix/anvil[24104]: statistics: max connection count 2 for (smtp:193.0.200.185) at Mar 22 11:07:00
Mar 22 11:15:16 mail postfix/anvil[24104]: statistics: max cache size 1 at Mar 22 11:07:00

This is normal statistics generated by Postfix (your MTA).