1

Topic: Postscreen spam reconnecting to smtpd

==== Required information ====
- iRedMail version (check /etc/iredmail-release): v0.9.6
- Linux/BSD distribution name and version: Debian Jessie
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache2
- Manage mail accounts with iRedAdmin-Pro? No postfixadmin
- Related log if you're reporting an issue: Check below
====

The following log is getting spammed continuesly

Mar 25 22:18:28 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39116 to [10.x.x.2]:25
Mar 25 22:18:28 mailserver postfix/postscreen[2297]: PASS OLD [10.x.x.2]:39116
Mar 25 22:18:28 mailserver postfix/smtpd[3590]: warning: hostname mailserver.example.com does not resolve to address 10.x.x.2
Mar 25 22:18:28 mailserver postfix/smtpd[3590]: connect from unknown[10.x.x.2]
Mar 25 22:18:28 mailserver postfix/smtpd[3590]: disconnect from unknown[10.x.x.2]
Mar 25 22:18:29 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39117 to [10.x.x.2]:25
Mar 25 22:18:29 mailserver postfix/postscreen[2297]: PASS OLD [10.x.x.2]:39117
Mar 25 22:18:29 mailserver postfix/smtpd[3659]: connect from mail.example.com[10.x.x.2]
Mar 25 22:18:29 mailserver postfix/smtpd[3659]: disconnect from mail.example.com[10.x.x.2]
Mar 25 22:18:30 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39118 to [10.x.x.2]:25
Mar 25 22:18:30 mailserver postfix/postscreen[2297]: PASS OLD [10.x.x.2]:39118
Mar 25 22:18:30 mailserver postfix/smtpd[3590]: warning: hostname mailserver.example.com does not resolve to address 10.x.x.2
Mar 25 22:18:30 mailserver postfix/smtpd[3590]: connect from unknown[10.x.50.2]
Mar 25 22:18:30 mailserver postfix/smtpd[3590]: disconnect from unknown[10.x.50.2]
Mar 25 22:18:31 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39121 to [10.x.50.2]:25
Mar 25 22:18:31 mailserver postfix/postscreen[2297]: PASS OLD [10.x.50.2]:39121
Mar 25 22:18:31 mailserver postfix/smtpd[3659]: connect from mail.example.com[10.x.50.2]
Mar 25 22:18:31 mailserver postfix/smtpd[3659]: disconnect from mail.example.com[10.x.50.2]
Mar 25 22:18:32 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39122 to [10.x.50.2]:25
Mar 25 22:18:32 mailserver postfix/postscreen[2297]: PASS OLD [10.x.50.2]:39122
Mar 25 22:18:32 mailserver postfix/smtpd[3590]: warning: hostname mailserver.example.com does not resolve to address 10.x.x.2
Mar 25 22:18:32 mailserver postfix/smtpd[3590]: connect from unknown[10.x.50.2]
Mar 25 22:18:32 mailserver postfix/smtpd[3590]: disconnect from unknown[10.x.50.2]

Doing a nslookup (to my local DNS server) on this mail hosts results in this:

Server:         2a02:xxx:xxx:xxx:xxx:xxx:xxx:xxx
Address:        2a02:xxx:xxx:xxx:xxx:xxx:xxx:xxx#53

Name:   mailserver.example.com
Address: 10.x.50.2

I've added a line to the /etc/hosts file with the following:

10.x.50.2 mailserver.example.com mailserver

This removed 1 line from getting spammed (hostname not resolve blabla), but did not solve the rest:

Mar 25 22:18:28 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39116 to [10.x.x.2]:25
Mar 25 22:18:28 mailserver postfix/postscreen[2297]: PASS OLD [10.x.x.2]:39116
Mar 25 22:18:28 mailserver postfix/smtpd[3590]: connect from unknown[10.x.x.2]
Mar 25 22:18:28 mailserver postfix/smtpd[3590]: disconnect from unknown[10.x.x.2]
Mar 25 22:18:29 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39117 to [10.x.x.2]:25
Mar 25 22:18:29 mailserver postfix/postscreen[2297]: PASS OLD [10.x.x.2]:39117
Mar 25 22:18:29 mailserver postfix/smtpd[3659]: connect from mail.example.com[10.x.x.2]
Mar 25 22:18:29 mailserver postfix/smtpd[3659]: disconnect from mail.example.com[10.x.x.2]
Mar 25 22:18:30 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39118 to [10.x.x.2]:25
Mar 25 22:18:30 mailserver postfix/postscreen[2297]: PASS OLD [10.x.x.2]:39118
Mar 25 22:18:30 mailserver postfix/smtpd[3590]: connect from unknown[10.x.x.2]
Mar 25 22:18:30 mailserver postfix/smtpd[3590]: disconnect from unknown[10.x.x.2]
Mar 25 22:18:31 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39121 to [10.x.x.2]:25
Mar 25 22:18:31 mailserver postfix/postscreen[2297]: PASS OLD [10.x.x.2]:39121
Mar 25 22:18:31 mailserver postfix/smtpd[3659]: connect from mail.example.com[10.x.x.2]
Mar 25 22:18:31 mailserver postfix/smtpd[3659]: disconnect from mail.example.com[10.x.x.2]
Mar 25 22:18:32 mailserver postfix/postscreen[2297]: CONNECT from [10.x.x.2]:39122 to [10.x.x.2]:25
Mar 25 22:18:32 mailserver postfix/postscreen[2297]: PASS OLD [10.x.x.2]:39122
Mar 25 22:18:32 mailserver postfix/smtpd[3590]: connect from unknown[10.x.x.2]
Mar 25 22:18:32 mailserver postfix/smtpd[3590]: disconnect from unknown[10.x.x.2]

Sending mails works, but I cannot access any logs as this is obstructing my live tail -f ssh feed.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Postscreen spam reconnecting to smtpd

About the "reconnect to smtpd" thing, this is working as designed. Please check postscreen doc for more details:
http://www.postfix.org/POSTSCREEN_README.html

3

Re: Postscreen spam reconnecting to smtpd

if it is working by design, why is it spamming my logs with it so I cannot monitor my traffic as I could before without it being spammed?

It always drops and reconnects using a the old port + 1 so it must be reconnecting for a specific task.

4

Re: Postscreen spam reconnecting to smtpd

*) The connections came from IP 10.x.x.x, is it your internal server?
*) About the old port +1, it's controlled by Linux kernel. i don't think the port numbers are problem, the problem is the connections itself.

5

Re: Postscreen spam reconnecting to smtpd

Yes the 10.x.x.x (or 10.x.50.2, same IP. just some mismasking xD)

That is the ipv4 of the mailserver we are talking about.

6

Re: Postscreen spam reconnecting to smtpd

You mean the mail server itself keeps connecting to port 25?

7

Re: Postscreen spam reconnecting to smtpd

Correct, it's the local (as in same box) postscreen service that is reconnecting to the local (as in same box) postfix smtpd service, to it's port 25. It disconnects right after it connects without sending out any commands.

To make it even more clear:

Mar 27 13:56:34 mailserver postfix/postscreen[2273]: CONNECT from [10.x.x.x]:59613 to [10.x.x.x]:25
Mar 27 13:56:34 mailserver postfix/postscreen[2273]: PASS OLD [10.x.x.x]:59613
Mar 27 13:56:34 mailserver postfix/smtpd[62475]: connect from mailserver.example.com[10.x.x.x]
Mar 27 13:56:34 mailserver postfix/smtpd[62475]: disconnect from mailserver.example.com[10.x.x.x]

This is repeatingly being spammed into the mail.log file.

So the postfix/postscreen service the local postscreen service on the mailserver attempting to connect to the local smtpd service running on the mailserver. Once completed it instantly disconnects and reconnects using a new port to the smtpd service's port 25.

This is all happening on the same local server, doesn't make sense why it is using it's network ip address instead of it's localhost address.

8

Re: Postscreen spam reconnecting to smtpd

According to log in first post, seems the log was generated every minute? Please try this:

*) If you have SOGo installed, please disable all cron jobs for SOGo user, then monitor the Postfix log file.
*) If you don't have SOGo, honestly, i have no idea which program will visit port 25 frequently. sad