I had not previously noticed "lost connection after UNKNOWN…" but will add that as well as the companion regex for the disconnect.
Feb 11 12:17:39 mail postfix/smtpd[23758]: connect from unknown[240e:f7:4f01:c::3]
Feb 11 12:17:42 mail postfix/smtpd[23758]: lost connection after UNKNOWN from unknown[240e:f7:4f01:c::3]
Feb 11 12:17:42 mail postfix/smtpd[23758]: disconnect from unknown[240e:f7:4f01:c::3] ehlo=1 unknown=0/1 commands=1/2
I checked the packet capture for that encounter:
220 example.com ESMTP Postfix
EHLO []
250-example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
HELP (← after 2.31s delay which prompted two server TCP retransmissions)
502 5.5.2 Error: command not recognized
HELP is not implemented; the antecedent bogus EHLO would have triggered a ban had a delivery been attempted (because of smtpd_delay_reject = yes). However, there was no delivery attempt so the session never arrived at "Helo command rejected: need fully-qualified hostname" as the client closed the session (without a QUIT) immediately after receiving the 502.
The origin address had previously (repeatedly, for a variety of transgressions dating back to August 2019) been banned one week earlier and unbanned within the hour prior to the 2020-02-11 SMTP session. Just prior to the session it did a port 25 TCP connect and then an immediate reset (RST), a commonly observed but curious practice. Such SYN, SYN-ACK, RST sequences do not produce any log records.
IMO: anything evoking an unknown SMTP command response is ban bait. That would include VRFY which is routinely disabled.
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
