PDA

View Full Version : Postfix logs...

lyndros
20th April 2009, 21:03
I am having lots of these messages on mail.log:

Apr 20 14:17:15 ns24815 postfix/smtp[31342]: certificate verification failed for tnetmx.telefonica.net[213.4.149.227]:25: untrusted issuer /C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517
Apr 20 14:23:42 ns24815 postfix/smtp[31856]: certificate verification failed for mail.elventorro.net[86.109.162.127]:25: self-signed certificate

Seems that server does not recognize the CA, should i add those certificates? is something to worry about?

And what about this entries... connections without sending data ...

Apr 20 14:02:06 ns24815 postfix/smtpd[29468]: lost connection after DATA (0 bytes) from cpe-98-28-208-132.woh.res.rr.com[98.28.208.132]
Apr 20 14:02:07 ns24815 postfix/smtpd[28474]: lost connection after DATA (0 bytes) from 201.22.166.174.dynamic.adsl.gvt.net.br[201.22.166.174]

Could be spammers checking relays?

Any help or comment would be appreciatted .


Thks in advanced.
tebokkel
20th April 2009, 22:12
re TLS, see:
http://www.irbs.net/internet/postfix/0804/1114.html

(short version: TLS is used, the error is informational)

re DATA errors:
It is very wel possible these are relay-tries, and possibly succeeding (it all depens on when your postfix gives a 4xx that this message isn't allowed). But then again, a lot of malware is very badly written, so errors in the sending process also doesn't seem unlikely.

Paul
lyndros
21st April 2009, 19:44
thks a lot so tls is working but certificates cannot be checked by the CA. So if i want to avoid this errors as i understand i should place the CA's certs in the following location /etc/ssl/certs.

Yes it seems relay connections, is it safe to add a new rule to fail2ban, to ban this ip's permanently checking relays?, or is too risky cause i can ban a legimate server with some malware on a user account?

thk u all
tebokkel
21st April 2009, 19:57
If your mailserver is not abused (ie: is not an open relay), I wouldn't mind about the logs and blocking such attempts; it's not worth the effort.

If they are succeeding, you really should handle the mailserver security, by limiting the hosts you relay for or the conditions for which you do. Only ignoring the logging than is a sure way to get onto a lot of blacklists with your mailserver.

Paul