On 8/15/2023 3:14 PM, pgnd via Postfix-users wrote:
my "BFFs" @ M$'s *.outlook.com have decided over the last month or
so to send many 10K's of these
2023-08-14T13:11:53.782611-04:00 svr01
postfix/postscreen[27910]: CONNECT from [52.101.56.17]:32607 to
[209.123.234.54]:25
2023-08-14T13:11:59.860098-04:00 svr01
postfix/postscreen[27910]: PASS NEW [52.101.56.17]:32607
2023-08-14T13:12:00.058029-04:00 svr01
postfix/postscreen-internal/smtpd[27907]: connect from
mail-eastus2azon11020017.outbound.protection.outlook.com[52.101.56.17]
2023-08-14T13:12:00.118201-04:00 svr01
postfix/postscreen-internal/smtpd[27907]: Anonymous TLS connection
established from
mail-eastus2azon11020017.outbound.protection.outlook.com[52.101.56.17]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
2023-08-14T13:12:00.131049-04:00 svr01
postfix/postscreen-internal/smtpd[27907]: disconnect from
mail-eastus2azon11020017.outbound.protection.outlook.com[52.101.56.17] ehlo=1 starttls=1 quit=1 commands=3
they come in frequent waves of ~5-10 from countless different
outlook.com hosts -- but, so far, these waves (and totals) are ONLY
from outlook.com -- getting by postscreen cache after expire with
"PASS NEW".
i never receive content with these; i just see the
connect->disconnect sequence. protections appear to be doing what
they should.
OK mail from outlook does make it's way thru; e.g., since Monday,
xzegrep "250 2.0.0 Queued as.*outbound.protection.outlook.com"
/var/log/postfix/postfix.log | wc -l
4343
any wisdom as to what this M$ noise is ? and what (else) to do about
it? if anything ...
So they connect, say EHLO, start a TLS session, and disconnect.
There is no protection you can add to prevent this, other than
firewalling them completely.
Why do they do this? Only they know. Maybe they don't like something
about the cipher used, but that seems unlikely since the session
seems to be established normally. Maybe they have a message bigger
than your announced SIZE=, but that shouldn't result in repeated
connections. Maybe they just have something stuck in their queue. At
any rate, nothing you can do about any of this.
I guess twiddle the TLS knobs (or use the defaults) to maybe get
them to use a different cipher, but that's just a shot in the dark
and frankly I'd be surprised if it helped.
You could try to catch a tcp dump of one of the offending
connections, but I expect that will look perfectly normal from your end.
What should you do? Just ignore it. Unless it gets to the DDOS
point, even thousands of short-lived ghost connections won't stress
postfix or interfere with other mail. The biggest annoyance is
junking up the logs.
-- Noel Jones
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org