Postfix Logwatch - Should i be concerned?

Discussion in 'Server Operation' started by experience, Nov 24, 2013.

  1. experience

    experience New Member

    Just checking my daily logwatch file, i noticed an unknown IP address 184.22.56.206 and a postfix stress warning/Anvil limit reached warning - is someone sending spam messages from my server, or have they tried and failed due to the security settings?

     
    Last edited: Nov 24, 2013
  2. pititis

    pititis Member

    It's a bruteforce attack. Use fail2ban or similar to avoid headaches.

    Cheers
     
  3. experience

    experience New Member

    Thanks, i had fail2ban monitoring postfix and dovecot but had SASL turned off

    I've since enabled sasl so hopefully that will stop this happening again

    [sasl]

    enabled = true
    port = smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s
    filter = sasl
    logpath = /var/log/mail.log
    maxretry = 3
     
  4. arraken

    arraken Member HowtoForge Supporter

    Hi,

    I also just analyzed my logwatch file from my Mailserver and I have a question regarding the "sent via smtp" section. It looks like this:

    Code:
    3717   Sent via SMTP ---------------------------------------------------------------------------
          647      gmail.com
          270      my.fqdn.tld
          158     domain_we_host.tdl
          154     domain_we_host.tdl
          142     domain_we_host.tdl
          126      gmx.at
           97      web.de
           91      googlemail.com
           84      yahoo.co.id
           82      freenet.de
           80      gawab.com
           80      yahoo.de
           79      hotmail.com
           77      yahoo.com
           76      aol.com
           75      t-online.de
           74      arcor.de
           66      bigstring.com
           65      inbox.com
           64      zoho.com
           60      gmx.net
           etc.
    
    My question is: Why is the top domain gmail.com? And why are there so many other domains we dont host on our server in the top smtp-senders? Does that suggest a Spam-Problem?
     
  5. experience

    experience New Member

    From what i can see 3717 emails were Sent via SMTP - is that in a 24 hour period?

    I believe the list of domains is how many emails were sent to each domain e.g. 79 emails were sent to a hotmail.com email address
     
  6. arraken

    arraken Member HowtoForge Supporter

    Thanks! That makes a lot more sense - don't know why I didn't think of that...

    I wish there was some more in depth explanation of the logwatch output. There's a lot of guesswork involved - at least for me. :)
     
  7. MonkeyMan

    MonkeyMan New Member

    Most of the output assumes you understand how SMTP and mail services work.

    Try running postfix-logwatch in standalone mode, and increase the detail for any given section. This will give you a better picture of what you're seeing.

    MrC
     

Share This Page