服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 了解Postfix邮件日志
Intereting Posts
通过TMG / VPN允许广播到255.255.255.255(用于NetBios分辨率) 升级到雪豹,不能从macports安装git 安装puppet enterprise.30并访问Web门户 iptables路由器问题“帮助” 在CIFS服务器上挂载Linux用户主目录 剥离公司外部的文件 – 我应该使用哪个工具? 本地Linux服务器在传出的OpenVPN连接期间不能从外部访问 如何用Sophos UTM 9分配stream量优先级? 如何阻止来自特定用户代理的Nginx访问日志语句 Windows 7 – 存储networking密码 如何使用现有操作系统安装在Dell PERC S300上设置RAID 1 在apache上找不到我的网站 在Active Directory删除后还原“lost”用户? 哪里可以得到最新的Windows XP安装程序? 桑巴与ldapsam后端

了解Postfix邮件日志

最近我检查了我的邮件日志,发现了很多这样的消息(一些密文已被截断): 

Feb 23 11:57:42 postfix/smtpd[32451]: initializing the server-side TLS engine Feb 23 11:57:42 postfix/smtpd[32451]: connect from unknown[176.103.49.30] Feb 23 11:57:42 postfix/smtpd[32451]: setting up TLS connection from unknown[176.103.49.30] Feb 23 11:57:42 postfix/smtpd[32451]: unknown[176.103.49.30]: TLS cipher list "ALL:+RC4:@STRENGTH" Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:before/accept initialization Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C0] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C0] (11 bytes => 11 (0xB)) (some cipher text) Feb 23 11:57:42 postfix/smtpd[32451]: 0085 - <SPACES/NULLS> Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 read client hello B Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write server hello A Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write certificate A Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write server done A Feb 23 11:57:42 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD69108DE80] (1030 bytes => 1030 (0x406)) (some cipher text) Feb 23 11:57:42 postfix/smtpd[32451]: 0403 - <SPACES/NULLS> Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 flush data Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C3] (5 bytes => 5 (0x5)) Feb 23 11:57:42 postfix/smtpd[32451]: 0000 16 03 03 01 06 ..... Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C8] (262 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C8] (262 bytes => 262 (0x106)) (some cipher text) Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 read client key exchange A Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C3] (5 bytes => 5 (0x5)) Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 read finished A Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write change cipher spec A Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write finished A Feb 23 11:57:42 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD69108DE80] (47 bytes => 47 (0x2F)) (some cipher text) Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 flush data Feb 23 11:57:42 postfix/smtpd[32451]: Anonymous TLS connection established from unknown[176.103.49.30]: TLSv1.2 with cipher RC4-SHA (128/128 bits) Feb 23 11:57:43 postfix/smtpd[32451]: Read 16 chars: EHLO localhost?? Feb 23 11:57:43 postfix/smtpd[32451]: Write 158 chars: 250-mail.(domain).com??250-PIPELINING??250 Feb 23 11:57:43 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD691088A13] (183 bytes => 183 (0xB7)) (some cipher text) Feb 23 11:57:43 postfix/smtpd[32451]: Read 45 chars: AUTH PLAIN AGFkbWluQGZpcGljay5jb20Ad2lsb Feb 23 11:57:45 postfix/smtpd[32451]: warning: unknown[176.103.49.30]: SASL PLAIN authentication failed: Feb 23 11:57:45 postfix/smtpd[32451]: Write 42 chars: 435 4.7.8 Error: authentication failed: Feb 23 11:57:45 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD691088A13] (67 bytes => 67 (0x43)) (some cipher text) Feb 23 11:57:45 postfix/smtpd[32451]: Read 3 chars: *?? Feb 23 11:57:45 postfix/smtpd[32451]: Write 41 chars: 402 4.5.2 Error: command not recognized? Feb 23 11:57:45 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD691088A13] (66 bytes => 66 (0x42)) Feb 23 11:57:45 postfix/smtpd[32451]: 0000 17 03 03 00 1a ..... Feb 23 11:57:45 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C8] (26 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Feb 23 11:57:45 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C8] (26 bytes => 26 (0x1A))

这些消息的含义是什么? 有人试图破解我的电子邮件帐户?

另外,这种情况的适当措施是什么?

看起来有人可能试图暴力破解你的密码。 尝试在AUTH PLAIN之后对值进行base64解码。 这些应该允许您确定他们是否使用有效的凭据。

他们可能正在启动TLS连接,以便访问通常在未encryption连接上不可用的AUTH命令。

在防火墙上将源IP列入黑名单是适当的。 有像fail2ban这样的工具可以监视你的日志并自动采取行动。

如果您不需要通过外部(Internet)访问邮件服务器,则可能需要禁用StartTLS和/或AUTH。 我只在提交端口(587)启用了AUTH,但我不知道如何在Postfix中进行configuration。