User profile for user: 1down1togo
1down1togo Author
User level: Level 1
0 points

stop unknown client connect

How do you stop unknown client connects as shown in my log below. Blacklists stop a lot but why are unknowns allowed to connect?

Sep 1 04:33:23 msh-server postfix/smtpd[7870]: connect from unknown[58.69.104.237]
Sep 1 04:33:23 msh-server postfix/smtpd[7870]: ED462E58E7: client=unknown[58.69.104.237]
Sep 1 04:33:24 msh-server postfix/cleanup[7873]: ED462E58E7: message-id=<20060901093323.ED462E58E7@midsouthhost.com>

Sep 4 14:24:48 msh-server postfix/smtpd[4277]: connect from 80.244.146.99.ip.tnp.pl[80.244.146.99]\
Sep 4 14:25:26 msh-server postfix/smtpd[4277]: AFBD6E75CE: client=80.244.146.99.ip.tnp.pl[80.244.146.99]\
Sep 4 14:25:28 msh-server postfix/cleanup[4293]: AFBD6E75CE: message-id=<20060904192449.AFBD6E75CE@midsouthhost.com>\

Sep 4 14:48:45 msh-server postfix/smtpd[4578]: connect from 12-201-49-87.client.mchsi.com[12.201.49.87]\
Sep 4 14:48:49 msh-server postfix/smtpd[4578]: 8CAE1E7600: client=12-201-49-87.client.mchsi.com[12.201.49.87]\
Sep 4 14:48:50 msh-server postfix/cleanup[4581]: 8CAE1E7600: message-id=<20060904194848.8CAE1E7600@midsouthhost.com>\
\

TIA

Posted on Sep 4, 2006 3:11 PM

Reply
11 replies
User profile for user: 1down1togo
1down1togo Author
User level: Level 1
0 points

Sep 5, 2006 8:07 AM in response to UptimeJeff

Are you trying to minimize spam or protect from being
used to relay?


Both actually but I was more concerned about relay / sending spam out. Of course it may be academic now as my ISP has closed port 25 as my server was listed as a "source of spam". Until my problem is solved they will not open port 25. I guess I don't understand postfix logs. In the log section below it looks like someone has me attempting to send mail for them. Of course port 25 is closed so it doesn't matter. Why would my server be trying to send mail to anyone, I sent no mail.

Sep 4 14:48:49 msh-server postfix/smtpd[4578]: 8CAE1E7600: client=12-201-49-87.client.mchsi.com[12.201.49.87]\
Sep 4 14:48:50 msh-server postfix/cleanup[4581]: 8CAE1E7600: message-id=<20060904194848.8CAE1E7600@midsouthhost.com>\
Sep 4 14:48:50 msh-server postfix/qmgr[2570]: 8CAE1E7600: from=<accusing@mac.com>, size=1309, nrcpt=1 (queue active)\
Sep 4 14:48:51 msh-server postfix/smtpd[4584]: connect from localhost[127.0.0.1]\
Sep 4 14:48:51 msh-server postfix/smtpd[4584]: 871EAE760A: client=localhost[127.0.0.1]\
Sep 4 14:48:51 msh-server postfix/cleanup[4581]: 871EAE760A: message-id=<20060904194848.8CAE1E7600@midsouthhost.com>\
Sep 4 14:48:51 msh-server postfix/qmgr[2570]: 871EAE760A: from=<accusing@mac.com>, size=1694, nrcpt=1 (queue active)\
Sep 4 14:48:51 msh-server postfix/smtpd[4584]: disconnect from localhost[127.0.0.1]\
Sep 4 14:48:51 msh-server postfix/smtp[4582]: 8CAE1E7600: to=<admin@midsouthhost.com>, relay=127.0.0.1[127.0.0.1], delay=3, status=sent (250 2.6.0 Ok, id=02577-01, from MTA: 250 Ok: queued as 871EAE760A)\
Sep 4 14:48:51 msh-server postfix/qmgr[2570]: 8CAE1E7600: removed\
Sep 4 14:48:52 msh-server postfix/pipe[4586]: 871EAE760A: to=<admin@midsouthhost.com>, relay=cyrus, delay=1, status=bounced (data format error. Command output: admin: Mailbox does not exist )\
Sep 4 14:48:52 msh-server postfix/cleanup[4581]: 2433EE760C: message-id=<20060904194852.2433EE760C@midsouthhost.com>\
Sep 4 14:48:52 msh-server postfix/qmgr[2570]: 2433EE760C: from=, size=3424, nrcpt=1 (queue active)\
Sep 4 14:48:52 msh-server postfix/qmgr[2570]: 871EAE760A: removed\
Sep 4 14:48:52 msh-server postfix/smtpd[4578]: disconnect from 12-201-49-87.client.mchsi.com[12.201.49.87]\
Sep 4 14:49:06 msh-server postfix/smtp[4565]: connect to smtp-pandora.telenet-ops.be[195.130.132.41]: Operation timed out (port 25)\
Sep 4 14:49:22 msh-server postfix/smtp[4591]: connect to smtp-mx5.mac.com[17.250.244.61]: Operation timed out (port 25)\
Sep 4 14:49:36 msh-server postfix/smtp[4565]: connect to smtp-pandora.telenet-ops.be[195.130.132.43]: Operation timed out (port 25)\
Sep 4 14:49:52 msh-server postfix/smtp[4591]: connect to smtp-mx.mac.com[17.250.248.49]: Operation timed out (port 25)\
Sep 4 14:50:06 msh-server postfix/smtp[4565]: connect to smtp-pandora.telenet-ops.be[195.130.132.38]: Operation timed out (port 25)\
Sep 4 14:50:22 msh-server postfix/smtp[4591]: connect to smtp-mx6.mac.com[17.250.244.63]: Operation timed out (port 25)\
Sep 4 14:50:36 msh-server postfix/smtp[4565]: connect to smtp-pandora.telenet-ops.be[195.130.132.52]: Operation timed out (port 25)\
Sep 4 14:50:36 msh-server postfix/smtp[4565]: 7DFC7E75DA: to=<pegh@pandora.be>, relay=none, delay=1506, status=deferred (connect to smtp-pandora.telenet-ops.be[195.130.132.52]: Operation timed out)\
Sep 4 14:50:52 msh-server postfix/smtp[4591]: connect to smtp-mx3.mac.com[17.250.248.166]: Operation timed out (port 25)\
Sep 4 14:51:22 msh-server postfix/smtp[4591]: connect to smtp-mx2.mac.com[17.250.248.165]: Operation timed out (port 25)\
Sep 4 14:51:52 msh-server postfix/smtp[4591]: connect to smtp-mx4.mac.com[17.250.248.167]: Operation timed out (port 25)\
Sep 4 14:51:52 msh-server postfix/smtp[4591]: 2433EE760C: to=<accusing@mac.com>, relay=none, delay=180, status=deferred (connect to smtp-mx4.mac.com[17.250.248.167]: Operation timed out)\
Sep 4 15:20:55 msh-server postfix/qmgr[2570]: 2433EE760C: from=, size=3424, nrcpt=1 (queue active)\
Sep 4 15:20:55 msh-server postfix/qmgr[2570]: 7DFC7E75DA: from=, size=4663, nrcpt=1 (queue active)\
Sep 4 15:21:25 msh-server postfix/smtp[4974]: connect to smtp-pandora.telenet-ops.be[195.130.132.52]: Operation timed out (port 25)\
Sep 4 15:21:25 msh-server postfix/smtp[4971]: connect to smtp-mx5.mac.com[17.250.244.61]: Operation timed out (port 25)\
Sep 4 15:21:55 msh-server postfix/smtp[4974]: connect to smtp-pandora.telenet-ops.be[195.130.132.39]: Operation timed out (port 25)\
Sep 4 15:21:55 msh-server postfix/smtp[4971]: connect to smtp-mx.mac.com[17.250.248.49]: Operation timed out (port 25)\
Sep 4 15:22:25 msh-server postfix/smtp[4974]: connect to smtp-pandora.telenet-ops.be[195.130.132.41]: Operation timed out (port 25)\
Sep 4 15:22:25 msh-server postfix/smtp[4971]: connect to smtp-mx6.mac.com[17.250.244.63]: Operation timed out (port 25)\
Sep 4 15:22:55 msh-server postfix/smtp[4974]: connect to smtp-pandora.telenet-ops.be[195.130.132.38]: Operation timed out (port 25)\
Sep 4 15:22:55 msh-server postfix/smtp[4971]: connect to smtp-mx2.mac.com[17.250.248.165]: Operation timed out (port 25)\
Sep 4 15:23:25 msh-server postfix/smtp[4974]: connect to smtp-pandora.telenet-ops.be[195.130.132.43]: Operation timed out (port 25)\
Sep 4 15:23:25 msh-server postfix/smtp[4971]: connect to smtp-mx4.mac.com[17.250.248.167]: Operation timed out (port 25)\
Sep 4 15:23:55 msh-server postfix/smtp[4974]: connect to smtp-pandora.telenet-ops.be[195.130.132.51]: Operation timed out (port 25)\
Sep 4 15:23:55 msh-server postfix/smtp[4971]: connect to smtp-mx3.mac.com[17.250.248.166]: Operation timed out (port 25)\
Sep 4 15:23:56 msh-server postfix/smtp[4974]: 7DFC7E75DA: to=<pegh@pandora.be>, relay=none, delay=3506, status=deferred (connect to smtp-pandora.telenet-ops.be[195.130.132.51]: Operation timed out)\
Sep 4 15:23:56 msh-server postfix/smtp[4971]: 2433EE760C: to=<accusing@mac.com>, relay=none, delay=2104, status=deferred (connect to smtp-mx3.mac.com[17.250.248.166]: Operation timed out)\
Sep 4 16:10:55 msh-server postfix/qmgr[2570]: 2433EE760C: from=, size=3424, nrcpt=1 (queue active)\
Sep 4 16:11:25 msh-server postfix/smtp[5578]: connect to smtp-mx.mac.com[17.250.248.49]: Operation timed out (port 25)\
Sep 4 16:11:55 msh-server postfix/smtp[5578]: connect to smtp-mx5.mac.com[17.250.244.61]: Operation timed out (port 25)\
Reply
User profile for user: UptimeJeff
UptimeJeff
User level: Level 4
3,479 points

Sep 5, 2006 5:04 PM in response to 1down1togo

There are many ways your server can be utilized to send spam. A malicous user could be ccoming in via SSH or an https script vulnerability (php code injection).

It takes some digging to find the source.

You were originally asking to block unknown connections. Connections from unknown servers is a normal event. You have to be open to accept connection from practically any server. It's normal to see malicous attempts. Your job is to make sure they aren't successful. You'll never block attempts.

Jeff
Reply
User profile for user: 1down1togo
1down1togo Author
User level: Level 1
0 points

Sep 10, 2006 8:41 PM in response to Alex_Mairet

I appreciate the responses from UptimeJeff and Alex_Mairet but neither helps. This was just on a test server to see if Mac might be an option for us at work. Yes I know spam is a fact of life. My server at work gets 1000s a day. But NEVER has my server been compromised to where it was sending spam! On this Mac server I have cleared the queue, disabled all mail accounts, closed all ports but 25 and 110 started the mail services and within an hour the server is sending spam out. It appears to me that someone is connecting and queueing the message. How? See above log. We have used Imail on Windows for several years without any such issue. In the logs I can easily tell where a message came from and who queued it. Everything I read on Apple's implementation of posix and cyrus keeps reminding you that the GUI is useless for real world use. So why does Apple bother?
Reply
User profile for user: davidh
davidh
User level: Level 4
1,896 points

Sep 11, 2006 6:35 PM in response to 1down1togo

Apple's documentation explains quite clearly how to avoid being an open relay, in terms of using the GUI to administer settings for mail services.

The Apple GUI provides a fully functional, though basic, configuration.
If you want more, it's available to you. In spades.

We're not psychic and can't tell you much from what you've posted. For starters, what other services are running and what 3rd-party software do you have installed, phpBB by any chance ? 🙂

Please navigate on your OS X Server, to Applications > Utilities,
and launch the Terminal application.
Type in:
postconf -n

(and then press return to execute the command).

Take the results and copy then paste them here so we can see your current configuration and spot problems.
Reply
User profile for user: 1down1togo
1down1togo Author
User level: Level 1
0 points

Sep 14, 2006 9:06 AM in response to 1down1togo

Thanks DavidX for your reply however SSH (port 22) stays closed for 99% of the time. I rarely open it.

Thanks davidh for your reply. Relaying is closed. At least the log says attempts are being denied. I have pasted my configuration params below:

always_bcc =
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = localhost
local recipientmaps = proxy:unix:passwd.byname $alias_maps
luser_relay =
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
mydestination = $myhostname,localhost.$mydomain,mail.midsouthhost.com,midsouthhost.com
mydomain_fallback = localhost
myhostname = midsouthhost.com
mynetworks = 127.0.0.1/32,65.6.208.86/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = permit_mynetworks hash:/etc/postfix/smtpdreject reject rblclient dun.dnsrbl.net reject rblclient dynablock.njabl.org reject rblclient psbl.surriel.com reject rblclient relays.ordb.org reject rblclient sbl-xbl.spamhaus.org reject rblclient list.dsbl.org reject rblclient china.blackholes.us reject rblclient malaysia.blackholes.us reject rblclient argentina.blackholes.us reject rblclient brazil.blackholes.us permit
smtpd pw_server_securityoptions = login
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpd sasl_authenable = yes
smtpd tls_keyfile =
smtpd use_pwserver = yes
unknown local_recipient_rejectcode = 550

Thank you for your time. I do appreciate it.
Reply
User profile for user: davidh
davidh
User level: Level 4
1,896 points

Sep 14, 2006 7:28 PM in response to 1down1togo

Right, you have a vanilla config with too many RBLs listed.

Put sbl-xbl.spamhaus.org first in that list 🙂

Alex's suggestion is good, but requires you to edit your postfix config files by hand, which is a one-way trip, you can't safely edit your settings via Server Admin after making changes by hand. You can start and stop mail services but that'd be it.

http://www.postfix.org/uce.html

In particular,
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
http://www.mengwong.com/misc/postfix-uce-guide.txt
http://www.securitysage.com/guides/postfix_uce.html
http://www.stahl.bau.tu-bs.de/~hildeb/postfix/

Note that there is some amount of repetition between those, and they are specific to a linux or non-OS X install of Postfix. You need to adjust accordingly.

However, with the tips from those write-ups, I have reduced spam drastically, to the point where the sbl/rbl checks rarely are needed but still catch the worst spam.
Reply
User profile for user: 1down1togo
1down1togo Author
User level: Level 1
0 points

Sep 16, 2006 3:18 PM in response to davidh

Well I give up. I'll stick with Windows. I have closed every port possible ( check it yourself) there are no scripts being run from web. SSH is closed. I've checked the www-console-security and every other log. Yet I still see this:

Sep 16 04:45:55 msh-server postfix/cleanup[29295]: 3FB41ED2F9: message-id=<20060916094555.3FB41ED2F9@midsouthhost.com>
Sep 16 04:45:55 msh-server postfix/qmgr[18123]: 3FB41ED2F9: from=, size=3039, nrcpt=1 (queue active)
Sep 16 04:46:25 msh-server postfix/smtp[29305]: connect to usmailhost2.sothebys.com[63.105.171.54]: Operation timed out (port 25)
Sep 16 04:46:55 msh-server postfix/smtp[29305]: connect to mailhost.sothebys.com[217.158.138.65]: Operation timed out (port 25)
Sep 16 04:47:25 msh-server postfix/smtp[29305]: connect to usmailhost.sothebys.com[63.105.171.52]: Operation timed out (port 25)
Sep 16 04:47:55 msh-server postfix/smtp[29305]: connect to ukmailhost.sothebys.com[217.158.138.79]: Operation timed out (port 25)
Sep 16 04:47:55 msh-server postfix/smtp[29305]: 3FB41ED2F9: to=<crmau@sothebys.com>, relay=none, delay=120, status=deferred (connect to

-- span transactions clipped --

Sep 16 09:52:39 msh-server postfix/cleanup[1308]: 03B42ED496: message-id=<20060916145239.03B42ED496@midsouthhost.com>
Sep 16 09:52:39 msh-server postfix/qmgr[18123]: 03B42ED496: from=, size=5596, nrcpt=1 (queue active)
Sep 16 09:53:09 msh-server postfix/smtp[1317]: connect to smtp-pandora.telenet-ops.be[195.130.132.52]: Operation timed out (port 25)
Sep 16 09:53:39 msh-server postfix/smtp[1317]: connect to smtp-pandora.telenet-ops.be[195.130.132.51]: Operation timed out (port 25)
Sep 16 09:54:09 msh-server postfix/smtp[1317]: connect to smtp-pandora.telenet-ops.be[195.130.132.38]: Operation timed out (port 25)
Sep 16 09:54:39 msh-server postfix/smtp[1317]: connect to smtp-pandora.telenet-ops.be[195.130.132.39]: Operation timed out (port 25)
Sep 16 09:55:09 msh-server postfix/smtp[1317]: connect to smtp-pandora.telenet-ops.be[195.130.132.43]: Operation timed out (port 25)
Sep 16 09:55:39 msh-server postfix/smtp[1317]: connect to smtp-pandora.telenet-ops.be[195.130.132.41]: Operation timed out (port 25)
Sep 16 09:55:39 msh-server postfix/smtp[1317]: 03B42ED496: to=<peggy.brits@pandora.be>, relay=none, delay=180, status=deferred (connect to smtp-pandora.telenet-ops.be[195.130.132.41]: Operation timed out)

Someone is queueing messages and it can't be stopped. Apparently the spammers are better than you guys on Mac.

Thanks anyway...
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

stop unknown client connect

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up