Mailing List Archive

Re: [exim-dev] "25 lost" is giving me useful clues
On 2018-08-30 at 12:27 +0200, Mark Elkins via Exim-dev wrote:
> What this is telling me is someone at 157.0.116.189 is making
> connections to my mail server - presumable to see if they can detect the
> accounts of users on my machine?

This really belongs on exim-users, not exim-dev (bcc'd) because it's not
about the development of Exim itself.

What else do the logs show? It could just be network reliability issues
or dumb clients which don't send QUIT and instead just drop connections.

The following not-enabled-by-default `log_selector` options might be of
interest:

smtp_connection incoming SMTP connections
smtp_incomplete_transaction incomplete SMTP transactions
smtp_no_mail session with no MAIL commands
smtp_protocol_error SMTP protocol errors
smtp_syntax_error SMTP syntax errors

Eg, `smtp_no_mail` will add a log-line for connections which are ended
without an SMTP mail transaction. Thus my monitoring probes for DANE
log (censored):

2018-09-03 00:09:00 [19598]
no MAIL in SMTP connection from XYZ (smtpdane.invalid) [2001:db8::1]:35490
I=[2001:db8::2]:25 D=0s
X=TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256 CV=no SNI="mx.spodhuis.org"
C=EHLO,STARTTLS,EHLO,QUIT

Without more detail, you can't assert what the cause or reason for
non-QUIT connections might be.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim-dev] "25 lost" is giving me useful clues [ In reply to ]
Hi all,

Am 03.09.2018 um 23:03 schrieb Phil Pennock via Exim-users:
>
> 2018-09-03 00:09:00 [19598]
> no MAIL in SMTP connection from XYZ (smtpdane.invalid) [2001:db8::1]:35490
> I=[2001:db8::2]:25 D=0s
> X=TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256 CV=no SNI="mx.spodhuis.org"
> C=EHLO,STARTTLS,EHLO,QUIT
>
> Without more detail, you can't assert what the cause or reason for
> non-QUIT connections might be.
>

Maybe not in this connection, but in many others i observed, the
connectors are just interested to know about:

- capabilities
- type of SSL connections possible

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim-dev] "25 lost" is giving me useful clues [ In reply to ]
On 09/03/2018 10:03 PM, Phil Pennock via Exim-users wrote:
> On 2018-08-30 at 12:27 +0200, Mark Elkins via Exim-dev wrote:
>> What this is telling me is someone at 157.0.116.189 is making
>> connections to my mail server - presumable to see if they can detect the
>> accounts of users on my machine?


Interesting variables to log from a notquit-acl include

$smtp_notquit_reason
$smtp_command_history

In particular, one pattern for the latter that earns IPs an immediate
firewall entry on my systems is "^EHLO,(RSET,)?AUTH". I don't advertise
AUTH on an in-clear EHLO, but it doesn't stop them trying...

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/