Is my mailserver being abused?

mbro · April 14, 2021, 3:22pm

My YunoHost server

Hardware: VPS bought online /
YunoHost version: 4.1.8
I have access to my server : Through SSH | through the webadmin

Description of my issue

I am looking at my mail logs and I wonder if I could block stuff or whether some firewall is doing what it should do. I am not really using mail to send anything, neither to receive since I just set it up and I am experimenting. Basically the server diagnostics are the only thing coming in (in Rainloop).

Can I automatically block any request to smtp not by me (web interface) for example?

I get a lot of this:

Apr 14 16:38:15 yh postfix/smtpd[24664]: connect from mone183.secundiarourous.com[141.98.10.183]
Apr 14 16:38:15 yh postfix/smtpd[24664]: disconnect from mone183.secundiarourous.com[141.98.10.183] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 14 16:40:26 yh postfix/anvil[24376]: statistics: max connection rate 1/60s for (smtp:103.125.191.85) at Apr 14 16:30:26
Apr 14 16:40:26 yh postfix/anvil[24376]: statistics: max connection count 1 for (smtp:103.125.191.85) at Apr 14 16:30:26
Apr 14 16:40:26 yh postfix/anvil[24376]: statistics: max cache size 3 at Apr 14 16:30:58
Apr 14 16:46:55 yh postfix/smtpd[25152]: connect from unknown[141.98.10.40]
Apr 14 16:46:55 yh postfix/smtpd[25152]: disconnect from unknown[141.98.10.40] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 14 16:50:16 yh postfix/anvil[25157]: statistics: max connection rate 1/60s for (smtp:141.98.10.40) at Apr 14 16:46:55
Apr 14 16:50:16 yh postfix/anvil[25157]: statistics: max connection count 1 for (smtp:141.98.10.40) at Apr 14 16:46:55
Apr 14 16:50:16 yh postfix/anvil[25157]: statistics: max cache size 1 at Apr 14 16:46:55
Apr 14 16:54:50 yh postfix/smtpd[25495]: connect from unknown[141.98.10.232]
Apr 14 16:54:50 yh postfix/smtpd[25495]: disconnect from unknown[141.98.10.232] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 14 16:58:11 yh postfix/anvil[25497]: statistics: max connection rate 1/60s for (smtp:141.98.10.232) at Apr 14 16:54:50
Apr 14 16:58:11 yh postfix/anvil[25497]: statistics: max connection count 1 for (smtp:141.98.10.232) at Apr 14 16:54:50
Apr 14 16:58:11 yh postfix/anvil[25497]: statistics: max cache size 1 at Apr 14 16:54:50
Apr 14 17:00:05 yh postfix/smtpd[25747]: connect from unknown[141.98.10.132]
Apr 14 17:00:05 yh postfix/smtpd[25747]: disconnect from unknown[141.98.10.132] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 14 17:03:25 yh postfix/anvil[25752]: statistics: max connection rate 1/60s for (smtp:141.98.10.132) at Apr 14 17:00:05
Apr 14 17:03:25 yh postfix/anvil[25752]: statistics: max connection count 1 for (smtp:141.98.10.132) at Apr 14 17:00:05
Apr 14 17:03:25 yh postfix/anvil[25752]: statistics: max cache size 1 at Apr 14 17:00:05
Apr 14 17:04:50 yh postfix/smtpd[25959]: connect from unknown[141.98.10.235]
Apr 14 17:04:50 yh postfix/smtpd[25959]: disconnect from unknown[141.98.10.235] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 14 17:07:20 yh postfix/smtpd[26054]: connect from unknown[141.98.10.143]
Apr 14 17:07:20 yh postfix/smtpd[26054]: disconnect from unknown[141.98.10.143] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 14 17:08:29 yh postfix/smtpd[26054]: connect from unknown[141.98.10.136]
Apr 14 17:08:29 yh postfix/smtpd[26054]: disconnect from unknown[141.98.10.136] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 14 17:08:58 yh postfix/smtpd[26054]: connect from mone183.secundiarourous.com[141.98.10.183]
Apr 14 17:08:58 yh postfix/smtpd[26054]: disconnect from mone183.secundiarourous.com[141.98.10.183] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 14 17:12:18 yh postfix/anvil[25961]: statistics: max connection rate 1/60s for (smtp:141.98.10.235) at Apr 14 17:04:50
Apr 14 17:12:18 yh postfix/anvil[25961]: statistics: max connection count 1 for (smtp:141.98.10.235) at Apr 14 17:04:50
Apr 14 17:12:18 yh postfix/anvil[25961]: statistics: max cache size 2 at Apr 14 17:08:58

Aleks · April 14, 2021, 3:41pm

It’s not as simple as this, because you need the server to be exposed to “anybody” in order to be able to receive emails.

Also even when you don’t receive emails, some servers may connect to your server when you’re sending emails to check that the EHLO answer matches the reverse DNS, etc, in order to check if your server is not a spam system … Also the yunohost diagnosis system pokes your server to check it’s indeed exposed

Those requests ain’t such a big deal, just like for SSH or web stuff, it’s expected to have random bots poking at your server, and that may sound scary, but it’s in fact not that much as long as you have proper defenses (strong passwords + fail2ban, shipped in yunohost)

mbro · April 14, 2021, 3:46pm

Thanks, for the help, and the reassurance I guess.
How would I be able to check if fail2ban is actually banning those attempts?

Aleks · April 14, 2021, 3:48pm

You can check the fail2ban logs (from yunohost’s webadmin or tail -n 50 /var/log/fail2ban.log)

But it looks like these requests ain’t even authentication attemps, c.f. the " auth=0/1" in the logs I think (not 100% sure). As said, maybe just servers checking the server’s EHLO/HELO …

system · April 29, 2021, 3:49pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.