When I look at my syslog file I see the following lines nearly every 5 minutes. I don’t recognize the mentioned IP address. According to Whois it is something from Poland (not my country). What is happening here? And can I block it?
Jun 8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max connection rate 1/60s for (smtp:193.189.117.151) at Jun 8 21:06:52
Jun 8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max connection count 1 for (smtp:193.189.117.151) at Jun 8 21:06:52
Jun 8 21:10:14 ubuntu-1gb-ams2-Nova postfix/anvil[24423]: statistics: max cache size 1 at Jun 8 21:06:52
Jun 8 21:11:55 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: connect from unknown[193.189.117.151]
Jun 8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: warning: unknown[193.189.117.151]: SASL LOGIN authentication failed: authentication failure
Jun 8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: lost connection after AUTH from unknown[193.189.117.151]
Jun 8 21:11:57 ubuntu-1gb-ams2-Nova postfix/smtpd[24621]: disconnect from unknown[193.189.117.151]
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
I solved this issue by adding this below line:
in
file. Then restart postfix:
Three years later, and I am going to be that guy who revives this thread :-)
I added the following entries to
/etc/postfix/main.cf
::Then restarted Postfix
service postfix restart
Yes, that address shows up on several blacklists.
Yes, that address shows up on at least 5 blacklists (Spamhouse ZEN, Protected Sky, Drone BL, CBL, Blocklist.de). Because the provider is lax about the whole thing, I’d recommend just blocking out the whole network range 193.189.116.0/23 from Delorian Internet Services
@musicmouse
Seeing such messages is actually quite common and you should be fine as long as you’re rate-limiting connections to prevent flooding. In your
main.cf
configuration file, you should see options such as:If we set the above to something such as:
This would mean that Postfix will wait 1 second before each error (i.e. lack of HELO, FQDN etc). After 10 errors, that limit will increase and once the limit hits 20, it will disconnect the client.
If you’re seeing a surge of such connection attempts, you can reduce the soft error limit and then reduce the gap between the soft and hard limits. You’ll still see the disconnects though it will ensure that they happen faster so that repeated attempts don’t tie up connections.
If you see the same IP or IP’s often, block them using your firewall (or install a firewall and then block them). That’ll prevent them from connecting in the first place.