Postfix

了解 Postfix 郵件日誌(第二部分)

  • March 16, 2015

在我的 Postfix 郵件日誌中有如下幾個日誌:

Mar  9 06:01:10 postfix/smtpd[23043]: initializing the server-side TLS engine
Mar  9 06:01:10 postfix/smtpd[23043]: connect from mlxmail4.icicibank.com[203.27.235.122]
Mar  9 06:01:11 postfix/smtpd[23043]: setting up TLS connection from mlxmail4.icicibank.com[203.27.235.122]
Mar  9 06:01:11 postfix/smtpd[23043]: mlxmail4.icicibank.com[203.27.235.122]: TLS cipher list "ALL:+RC4:@STRENGTH"
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:before/accept initialization
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C0] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C0] (11 bytes => 11 (0xB))
Mar  9 06:01:11 postfix/smtpd[23043]: 0000 16 03 01 02 00 01 00 01|fc 03 03                 ........ ...
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4CE] (506 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4CE] (506 bytes => 506 (0x1FA))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: 0128 - <SPACES/NULLS>
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 read client hello B
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write server hello A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write certificate A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write key exchange A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write server done A
Mar  9 06:01:11 postfix/smtpd[23043]: write to 7FE9DE41E2C0 [7FE9DE4CBE80] (1567 bytes => 1567 (0x61F))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: 061c - <SPACES/NULLS>
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 flush data
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => 5 (0x5))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (134 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (134 bytes => 134 (0x86))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 read client key exchange A
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => 5 (0x5))
Mar  9 06:01:11 postfix/smtpd[23043]: 0000 14 03 03 00 01                                   .....
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (1 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (1 bytes => 1 (0x1))
Mar  9 06:01:11 postfix/smtpd[23043]: 0000 01                                               .
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => 5 (0x5))
Mar  9 06:01:11 postfix/smtpd[23043]: 0000 16 03 03 00 28                                   ....(
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (40 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (40 bytes => 40 (0x28))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 read finished A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write change cipher spec A
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 write finished A
Mar  9 06:01:11 postfix/smtpd[23043]: write to 7FE9DE41E2C0 [7FE9DE4CBE80] (51 bytes => 51 (0x33))
(some cipher text)
Mar  9 06:01:11 postfix/smtpd[23043]: 0030 d1 82 cb                                         ...
Mar  9 06:01:11 postfix/smtpd[23043]: SSL_accept:SSLv3 flush data
Mar  9 06:01:11 postfix/smtpd[23043]: Anonymous TLS connection established from mlxmail4.icicibank.com[203.27.235.122]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar  9 06:01:11 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:12 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => 5 (0x5))
Mar  9 06:01:12 postfix/smtpd[23043]: 0000 17 03 03 00 35                                   ....5
Mar  9 06:01:12 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (53 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar  9 06:01:12 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C8] (53 bytes => 53 (0x35))
(some cipher text)
Mar  9 06:01:12 postfix/smtpd[23043]: Read 29 chars: EHLO mlxmail4.icicibank.com??
Mar  9 06:01:12 postfix/smtpd[23043]: Write 158 chars: 250-mail.xxx.com??250-PIPELINING??250
Mar  9 06:01:12 postfix/smtpd[23043]: write to 7FE9DE41E2C0 [7FE9DE4C6A13] (187 bytes => 187 (0xBB))
(some cipher text)
Mar  9 06:01:12 postfix/smtpd[23043]: read from 7FE9DE41E2C0 [7FE9DE4BE4C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))

mlxmail4.icicibank.com 試圖做什麼?它想向我的電子郵件帳戶發送垃圾郵件嗎?

根據您在上面評論中的郵件日誌和討論,看起來 SMTP 客戶端 mlxmail4.icicibank.com行為不端。後綴 EHLO 回復後沒有響應

Mar  9 06:01:12 postfix/smtpd[23043]: Read 29 chars: EHLO mlxmail4.icicibank.com??
Mar  9 06:01:12 postfix/smtpd[23043]: Write 158 chars: 250-mail.xxx.com??250-PIPELINING??250

我應該注意這種奇怪的行為嗎?

除非其他客戶有相同的症狀,否則您無需擔心。這不是你的後綴錯誤。

mlxmail4.icicibank.com 試圖做什麼?它想向我的電子郵件帳戶發送垃圾郵件嗎?

不知道。它在 SMTP 未完成後掛斷。但與您之前的日誌不同,mlxmail4.icicibank.com 沒有進行 AUTH 嘗試。因此,現在斷定該客戶端想要向您的伺服器發送電子郵件還為時過早。

垃圾郵件活動可以通過grep-pinganvil守護程序的後綴統計資訊來檢測。垃圾郵件發送者傾向於在短時間內大量發送電子郵件。

引用自:https://serverfault.com/questions/675721