Question on postfix set up: stopping new connections from outside on smtp server

[francis picabia]

Hello,

I'm looking at the logs for an SMTP only service where iptables
should be stopping new connections on port 25, and I'm
seeing connects with no sasl auth.  They fail to relay, but
I'd rather we didn't talk to them at all.

In the maillog-internal log:

Oct 17 11:28:18 myserver postfix-internal/smtpd[23161]: connect from
unknown[142.177.130.133]
Oct 17 11:28:20 myserver postfix-internal/smtpd[23161]: NOQUEUE:
reject: RCPT from unknown[142.177.130.133]: 454 4.7.1
<someu...@hotmail.com>: Relay access denied; from=<u...@example.com>
to=<someu...@hotmail.com> proto=ESMTP helo=<[10.36.113.138]>
Oct 17 11:28:20 myserver postfix-internal/smtpd[23161]: disconnect
from unknown[142.177.130.133]

# grep maillog-internal /etc/rsyslog.conf
local3.*
-/var/log/maillog-internal

That is a sanity check showing this log contains
only entries from the dedicated SMTP service.

I have iptables rules to block NEW connects on port 25, and my network
admin assures me telnet on port 25 from the outside is unsuccessful.
Neither of the above IPs (connect nor helo) are in my subnet.

I also run SASL auth'ed ports, but the connecting IP doesn't show up with
a line revealing sasl login.

grep 142.177.130.133 /var/log/maillog-internal  | grep sasl
shows nothing (log from 17th not rotated yet).

Hopefully the postconf output and snippets from my master.cf will reveal
something stupid I've got set up.

# postconf -d | grep mail_version
mail_version = 2.10.0-20130211

#postconf -c /etc/postfix-internal -n
anvil_rate_time_unit = 60s
anvil_status_update_time = 300s
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 0
canonical_maps =
hash:/etc/postfix-internal/lowercase,hash:/etc/postfix-internal/genericstable
command_directory = /usr/sbin
config_directory = /etc/postfix-internal
content_filter = lmtp-amavis:[127.0.0.1]:10026
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix-internal
debug_peer_level = 2
delay_warning_time = 2h
disable_vrfy_command = yes
fast_flush_domains = rigel.example.com, exchange.example.com,
adara.example.com, navi.example.com, rm.example.com
hash_queue_names = deferred defer bounce flush
html_directory = no
inet_interfaces = smtp.example.com
invalid_hostname_reject_code = 556
local_header_rewrite_clients = permit_inet_interfaces,
permit_mynetworks, permit_sasl_authenticated
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq
masquerade_domains = !alumni.example.com $mydomain
maximal_backoff_time = 4000s
maximal_queue_lifetime = 2d
message_size_limit = 20971520
minimal_backoff_time = 1000s
mydestination =
mydomain = example.com
myhostname = smtp.example.com
mynetworks = XXX.YYY.0.0/16 127.0.0.0/8
mynetworks_style = class
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
qmgr_message_active_limit = 20000
queue_directory = /var/spool/postfix-internal
queue_run_delay = 1000s
readme_directory = no
recipient_delimiter = +
relay_domains =
relocated_maps =
sample_directory = no
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_bind_address = XXX.YYY.202.53
smtp_discard_ehlo_keyword_address_maps =
hash:/etc/postfix-internal/smtp_discard_ehlo
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 2
smtpd_client_connection_rate_limit = 10
smtpd_client_event_limit_exceptions = 127.0.0.0/8, XXX.YYY.200.0/21
XXX.YYY.2.48 XXX.YYY.2.50
smtpd_client_message_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
smtpd_client_event_limit_exceptions = 127.0.0.0/8, XXX.YYY.200.0/21
XXX.YYY.2.48 XXX.YYY.2.50
smtpd_client_message_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
smtpd_client_restrictions = check_sender_access
hash:/etc/postfix-internal/localdomain, check_client_access
hash:/etc/postfix-internal/access
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_error_sleep_time = 10
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = reject_unlisted_recipient,
reject_unknown_recipient_domain, check_recipient_access
hash:/etc/postfix-internal/recipient_access,
permit_sasl_authenticated, permit_mynetworks, reject
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unknown_sender_domain, check_sender_access
hash:/etc/postfix-internal/localdomain, check_client_access
hash:/etc/postfix-internal/access
smtpd_soft_error_limit = 3
smtpd_timeout = 60s
smtpd_tls_CAfile = /etc/postfix-internal/tls/DigiCertCA.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix-internal/tls/star_example.com.crt
smtpd_tls_key_file = /etc/postfix-internal/tls/star_example.com.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
syslog_facility = local3
syslog_name = postfix-internal
tls_random_exchange_name = /var/lib/postfix-internal/prng_exch
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix-internal/transport,
hash:/etc/postfix-internal/migrating
unknown_address_reject_code = 550
unknown_client_reject_code = 555
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps, example.com
virtual_alias_maps = hash:/etc/postfix-internal/class_lists,
hash:/etc/postfix-internal/virtual
virtual_transport = virtual


Parts of master.cf

# Secure submission server on port 587 for non-Outlook Clients
XXX.YYY.202.53:587 inet n       -       n       -       -       smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_use_tls=yes
        -o smtpd_enforce_tls=yes
        -o smtpd_tls_wrappermode=no
        -o smtpd_client_event_limit_exceptions=XXX.YYY.0.0/21
        -o smtpd_client_connection_rate_limit=4
        -o smtpd_recipient_limit=20
        -o smtpd_client_message_rate_limit=40
        -o smtpd_reject_unlisted_sender=yes
        -o smtpd_sasl_tls_security_options=noanonymous
        -o smtpd_sasl_security_options=noanonymous

# Secure submission server on port 465 for Outlook Clients
XXX.YYY.202.53:465 inet n       -       n       -       -       smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_use_tls=yes
        -o smtpd_enforce_tls=yes
        -o smtpd_tls_wrappermode=yes
        -o smtpd_client_event_limit_exceptions=XXX.YYY.0.0/21
        -o smtpd_client_connection_rate_limit=4
        -o smtpd_recipient_limit=20
        -o smtpd_client_message_rate_limit=40
        -o smtpd_reject_unlisted_sender=yes
        -o smtpd_sasl_tls_security_options=noanonymous
        -o smtpd_sasl_security_options=noanonymous