了解 Postfix 郵件日誌

最近查了郵件日誌，發現很多這樣的郵件（部分密文被截斷）：

Feb 23 11:57:42 postfix/smtpd[32451]: initializing the server-side TLS engine
Feb 23 11:57:42 postfix/smtpd[32451]: connect from unknown[176.103.49.30]
Feb 23 11:57:42 postfix/smtpd[32451]: setting up TLS connection from unknown[176.103.49.30]
Feb 23 11:57:42 postfix/smtpd[32451]: unknown[176.103.49.30]: TLS cipher list "ALL:+RC4:@STRENGTH"
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:before/accept initialization
Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C0] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C0] (11 bytes => 11 (0xB))
(some cipher text)
Feb 23 11:57:42 postfix/smtpd[32451]: 0085 - <SPACES/NULLS>
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 read client hello B
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write server hello A
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write certificate A
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write server done A
Feb 23 11:57:42 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD69108DE80] (1030 bytes => 1030 (0x406))
(some cipher text)
Feb 23 11:57:42 postfix/smtpd[32451]: 0403 - <SPACES/NULLS>
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 flush data
Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C3] (5 bytes => 5 (0x5))
Feb 23 11:57:42 postfix/smtpd[32451]: 0000 16 03 03 01 06                                   .....
Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C8] (262 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C8] (262 bytes => 262 (0x106))
(some cipher text)
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 read client key exchange A
Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Feb 23 11:57:42 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C3] (5 bytes => 5 (0x5))
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 read finished A
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write change cipher spec A
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 write finished A
Feb 23 11:57:42 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD69108DE80] (47 bytes => 47 (0x2F))
(some cipher text)
Feb 23 11:57:42 postfix/smtpd[32451]: SSL_accept:SSLv3 flush data
Feb 23 11:57:42 postfix/smtpd[32451]: Anonymous TLS connection established from unknown[176.103.49.30]: TLSv1.2 with cipher RC4-SHA (128/128 bits)
Feb 23 11:57:43 postfix/smtpd[32451]: Read 16 chars: EHLO localhost??
Feb 23 11:57:43 postfix/smtpd[32451]: Write 158 chars: 250-mail.(domain).com??250-PIPELINING??250
Feb 23 11:57:43 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD691088A13] (183 bytes => 183 (0xB7))
(some cipher text)
Feb 23 11:57:43 postfix/smtpd[32451]: Read 45 chars: AUTH PLAIN AGFkbWluQGZpcGljay5jb20Ad2lsb
Feb 23 11:57:45 postfix/smtpd[32451]: warning: unknown[176.103.49.30]: SASL PLAIN authentication failed: 
Feb 23 11:57:45 postfix/smtpd[32451]: Write 42 chars: 435 4.7.8 Error: authentication failed: 
Feb 23 11:57:45 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD691088A13] (67 bytes => 67 (0x43))
(some cipher text)
Feb 23 11:57:45 postfix/smtpd[32451]: Read 3 chars: *??
Feb 23 11:57:45 postfix/smtpd[32451]: Write 41 chars: 402 4.5.2 Error: command not recognized?
Feb 23 11:57:45 postfix/smtpd[32451]: write to 7FD690FE02C0 [7FD691088A13] (66 bytes => 66 (0x42))
Feb 23 11:57:45 postfix/smtpd[32451]: 0000 17 03 03 00 1a                                   .....
Feb 23 11:57:45 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C8] (26 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Feb 23 11:57:45 postfix/smtpd[32451]: read from 7FD690FE02C0 [7FD6910804C8] (26 bytes => 26 (0x1A))

這些消息的含義是什麼？有人試圖破解我的電子郵件帳戶嗎？

另外，對於這種情況，什麼是適當的行動？

看起來有人可能試圖暴力破解您的密碼。嘗試對 . 之後的值進行 base64 解碼AUTH PLAIN。這些應該允許您確定他們是否使用有效的憑據。

他們很可能正在啟動 TLS 連接，以便訪問 AUTH 命令，該命令通常在未加密的連接上不可用。

將防火牆的源 IP 列入黑名單一段時間是合適的。有些工具fail2ban可以監控您的日誌並自動採取行動。

如果您不需要外部（Internet）訪問郵件伺服器，您可能需要禁用 StartTLS 和/或 AUTH。我只在送出埠（587）上啟用了 AUTH，雖然我不知道如何在 Postfix 中配置它。

引用自：https://serverfault.com/questions/672635