Hello, I'm looking at the logs for an SMTP only service where iptables should be stopping new connections on port 25, and I'm seeing connects with no sasl auth. They fail to relay, but I'd rather we didn't talk to them at all.
In the maillog-internal log: Oct 17 11:28:18 myserver postfix-internal/smtpd[23161]: connect from unknown[142.177.130.133] Oct 17 11:28:20 myserver postfix-internal/smtpd[23161]: NOQUEUE: reject: RCPT from unknown[142.177.130.133]: 454 4.7.1 <someu...@hotmail.com>: Relay access denied; from=<u...@example.com> to=<someu...@hotmail.com> proto=ESMTP helo=<[10.36.113.138]> Oct 17 11:28:20 myserver postfix-internal/smtpd[23161]: disconnect from unknown[142.177.130.133] # grep maillog-internal /etc/rsyslog.conf local3.* -/var/log/maillog-internal That is a sanity check showing this log contains only entries from the dedicated SMTP service. I have iptables rules to block NEW connects on port 25, and my network admin assures me telnet on port 25 from the outside is unsuccessful. Neither of the above IPs (connect nor helo) are in my subnet. I also run SASL auth'ed ports, but the connecting IP doesn't show up with a line revealing sasl login. grep 142.177.130.133 /var/log/maillog-internal | grep sasl shows nothing (log from 17th not rotated yet). Hopefully the postconf output and snippets from my master.cf will reveal something stupid I've got set up. # postconf -d | grep mail_version mail_version = 2.10.0-20130211 #postconf -c /etc/postfix-internal -n anvil_rate_time_unit = 60s anvil_status_update_time = 300s append_dot_mydomain = no biff = no bounce_queue_lifetime = 0 canonical_maps = hash:/etc/postfix-internal/lowercase,hash:/etc/postfix-internal/genericstable command_directory = /usr/sbin config_directory = /etc/postfix-internal content_filter = lmtp-amavis:[127.0.0.1]:10026 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix-internal debug_peer_level = 2 delay_warning_time = 2h disable_vrfy_command = yes fast_flush_domains = rigel.example.com, exchange.example.com, adara.example.com, navi.example.com, rm.example.com hash_queue_names = deferred defer bounce flush html_directory = no inet_interfaces = smtp.example.com invalid_hostname_reject_code = 556 local_header_rewrite_clients = permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq masquerade_domains = !alumni.example.com $mydomain maximal_backoff_time = 4000s maximal_queue_lifetime = 2d message_size_limit = 20971520 minimal_backoff_time = 1000s mydestination = mydomain = example.com myhostname = smtp.example.com mynetworks = XXX.YYY.0.0/16 127.0.0.0/8 mynetworks_style = class myorigin = $mydomain newaliases_path = /usr/bin/newaliases qmgr_message_active_limit = 20000 queue_directory = /var/spool/postfix-internal queue_run_delay = 1000s readme_directory = no recipient_delimiter = + relay_domains = relocated_maps = sample_directory = no sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_bind_address = XXX.YYY.202.53 smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix-internal/smtp_discard_ehlo smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_connection_count_limit = 2 smtpd_client_connection_rate_limit = 10 smtpd_client_event_limit_exceptions = 127.0.0.0/8, XXX.YYY.200.0/21 XXX.YYY.2.48 XXX.YYY.2.50 smtpd_client_message_rate_limit = 10 smtpd_client_new_tls_session_rate_limit = 10 smtpd_client_event_limit_exceptions = 127.0.0.0/8, XXX.YYY.200.0/21 XXX.YYY.2.48 XXX.YYY.2.50 smtpd_client_message_rate_limit = 10 smtpd_client_new_tls_session_rate_limit = 10 smtpd_client_restrictions = check_sender_access hash:/etc/postfix-internal/localdomain, check_client_access hash:/etc/postfix-internal/access smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_enforce_tls = no smtpd_error_sleep_time = 10 smtpd_hard_error_limit = 5 smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_recipient_restrictions = reject_unlisted_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix-internal/recipient_access, permit_sasl_authenticated, permit_mynetworks, reject smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, check_sender_access hash:/etc/postfix-internal/localdomain, check_client_access hash:/etc/postfix-internal/access smtpd_soft_error_limit = 3 smtpd_timeout = 60s smtpd_tls_CAfile = /etc/postfix-internal/tls/DigiCertCA.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix-internal/tls/star_example.com.crt smtpd_tls_key_file = /etc/postfix-internal/tls/star_example.com.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s syslog_facility = local3 syslog_name = postfix-internal tls_random_exchange_name = /var/lib/postfix-internal/prng_exch tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix-internal/transport, hash:/etc/postfix-internal/migrating unknown_address_reject_code = 550 unknown_client_reject_code = 555 unknown_hostname_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_domains = $virtual_alias_maps, example.com virtual_alias_maps = hash:/etc/postfix-internal/class_lists, hash:/etc/postfix-internal/virtual virtual_transport = virtual Parts of master.cf # Secure submission server on port 587 for non-Outlook Clients XXX.YYY.202.53:587 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_use_tls=yes -o smtpd_enforce_tls=yes -o smtpd_tls_wrappermode=no -o smtpd_client_event_limit_exceptions=XXX.YYY.0.0/21 -o smtpd_client_connection_rate_limit=4 -o smtpd_recipient_limit=20 -o smtpd_client_message_rate_limit=40 -o smtpd_reject_unlisted_sender=yes -o smtpd_sasl_tls_security_options=noanonymous -o smtpd_sasl_security_options=noanonymous # Secure submission server on port 465 for Outlook Clients XXX.YYY.202.53:465 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_use_tls=yes -o smtpd_enforce_tls=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_event_limit_exceptions=XXX.YYY.0.0/21 -o smtpd_client_connection_rate_limit=4 -o smtpd_recipient_limit=20 -o smtpd_client_message_rate_limit=40 -o smtpd_reject_unlisted_sender=yes -o smtpd_sasl_tls_security_options=noanonymous -o smtpd_sasl_security_options=noanonymous