is someone trying to access my mail server to send spam?

3 posts / 0 new
Last post
#1 Wed, 10/17/2018 - 17:23
adamjedgar

is someone trying to access my mail server to send spam?

what does the following mean exactly?

Oct 14 06:28:38 server3 postfix/smtpd[2355]: connect from hemu.mylifeworld.store[199.96.81.34]
Oct 14 06:28:39 server3 postfix/smtpd[2355]: NOQUEUE: reject: RCPT from hemu.mylifeworld.store[199.96.81.34]: 454 4.7.1 <info@goannawebsites.com.au>: Relay access denied; from=<gracy@mylifeworld.store> to=<info@goannawebsites.com.au> proto=ESMTP helo=<hemu.mylifeworld.store>
Oct 14 06:28:39 server3 postfix/smtpd[2355]: disconnect from hemu.mylifeworld.store[199.96.81.34] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
<br>
connect from 220-134-195-68.HINET-IP.hinet.net[220.134.195.68]
Oct 14 06:35:37 server3 postfix/smtpd[3786]: warning: 220-134-195-68.HINET-IP.hinet.net[220.134.195.68]: SASL LOGIN authentication failed: authentication failure
Oct 14 06:35:37 server3 postfix/smtpd[3786]: disconnect from 220-134-195-68.HINET-IP.hinet.net[220.134.195.68] helo=1 auth=0/1 quit=1 commands=2/3
<br>
warning: hostname bb43b3b5.virtua.com.br does not resolve to address 187.67.179.181: Name or service not known
Oct 14 06:37:10 server3 postfix/smtpd[3786]: connect from unknown[187.67.179.181]
Oct 14 06:37:13 server3 postfix/smtpd[3786]: warning: unknown[187.67.179.181]: SASL LOGIN authentication failed: authentication failure
Oct 14 06:37:15 server3 postfix/smtpd[3786]: disconnect from unknown[187.67.179.181] helo=1 auth=0/1 quit=1 commands=2/3
<br>
connect from tata.yourservicequote.online[96.9.253.38]
Oct 14 06:46:40 server3 postfix/smtpd[4568]: NOQUEUE: reject: RCPT from tata.yourservicequote.online[96.9.253.38]: 454 4.7.1 <info@goannawebsites.com.au>: Relay access denied; from=<roger@yourservicequote.online> to=<info@goannawebsites.com.au> proto=ESMTP helo=<tata.localdomain>
Oct 14 06:46:40 server3 postfix/smtpd[4568]: disconnect from tata.yourservicequote.online[96.9.253.38] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
<br>
connect from control.v545-5d8e5d8e.bid[51.254.58.226]
Oct 17 18:13:22 server3 postfix/smtpd[1425]: warning: control.v545-5d8e5d8e.bid[51.254.58.226]: SASL LOGIN authentication failed: authentication failure
Oct 17 18:13:22 server3 postfix/smtpd[1425]: lost connection after AUTH from control.v545-5d8e5d8e.bid[51.254.58.226]
Oct 17 18:13:22 server3 postfix/smtpd[1425]: disconnect from control.v545-5d8e5d8e.bid[51.254.58.226] ehlo=1 auth=0/1 commands=1/2


Are the above email log entries bad, and if so, how do i stop this kind of thing?

Wed, 10/17/2018 - 17:30
andreychek

Howdy,

Yup, unfortunately, there are bots scouring the Internet -- and if you have a server on the Internet, those bots are going to find it (over and over again), and poke at every part they can find to see if there's a way in.

There's no real way to stop or prevent that.

What we recommend is to ensure all your system packages are up to date, that your web apps are all up to date, and that you use decent password.

Those items will handle most of it... some folks like to use Fail2ban to look for failed password attempts though, which can block users after N failed logins.

-Eric

Wed, 10/17/2018 - 19:40
adamjedgar

thanks eric. One of the virtualmin virtual servers in the list above doesnt even have email enabled. Anyway, i will get fail2ban on to this. I have another problem however i will post a new thread about it because im sure the question is one others have problems with at some time or another.

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au