On Fri, Sep 30, 2016 at 06:26:35AM -0400, Postfix User wrote: > Postfix-3.2-20160917 with FreeBSD-11.0 /64 bit > > Lately, I have been finding the following entries in the maillog: > > 13643:Sep 30 02:00:40 scorpio postfix/smtpd[83056]: warning: > hostname ip-address-pool-xxx.fpt.vn does not resolve to address > 118.71.251.67: hostname nor servname provided, or not known > 13822:Sep 30 02:00:40 scorpio postfix/smtpd[83056]: connect from > unknown[118.71.251.67] > 13904:Sep 30 02:00:41 scorpio postfix/smtpd[83056]: disconnect from > unknown[118.71.251.67] helo=1 auth=0/1 quit=1 commands=2/3 > > While the IP, etcetera will change, the basic message is the same. > I thought I had postfix configured to block attempts like this.
It IS blocked. It disconnected after EHLO. We don't know why the client was unable to continue; the SMTP protocol does not provide a means for the client to tell the server what it didn't like. > Obviously not though. My config file is below. What am I missing? > > ~ $ postconf -nf You did not show "postconf -Mf". Is there a " -o syslog_name=..." setting for submission? If not there should be. It would be of interest to know whether this one was on port 25 or 587. > broken_sasl_auth_clients = yes why? In 2016 that's much like taping a "KICK ME" sign on your back and walking blindfolded around a schoolyard. You will get kicked. The Microsoft mail clients from that era have been unmaintained for many years now, and they are the darlings of the malware purveyors. > enable_long_queue_ids = yes Very good. :) This is one of my pet projects: to try to get more adoption of long queue IDs. I think it's quite appropriate since the last version without it is almost 2 years past EOL now. (Wietse, any thoughts on making this the default, at least for new installs? Perhaps "make upgrade" could put in a "no" setting if enable_long_queue_ids is not found in main.cf?) > smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated > permit_tls_clientcerts reject_unknown_client_hostname > reject_unauth_destination I don't have this in main.cf, I have it as mua_relay_restrictions and used as an override on submission only. And you probably do not want reject_unknown_client_hostname here, because that demands PTR/A matching, whereas many submitting clients will have no PTR at all, or PTR/A mismatch. > smtpd_sasl_auth_enable = yes This, likewise, I'd only enable on submission. You should not accept nor offer AUTH on port 25. * * * All that said, your relay restrictions would have rejected that client if it had proceeded all the way to RCPT TO. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: