[sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" logs

fonz

Son of Beastie

Reaction score: 370
Messages: 2,560

My mailserver's logs contain lots of the following lines:
Code:
<timestamp> mail sm-mta[62748]: s1H2MWNN062748: foo.bar.com [<IP address>] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
There are over 1,000 such entries from the same hostname/IP within a period of ten minutes or so. Is there any chance this is just a crappy misconfigured server, or is it a spammer trying to abuse my server for relaying?
 

wblock@

Beastie Himself
Developer

Reaction score: 3,682
Messages: 13,851

Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

If it was trying to relay, it would probably have done something. Possibly a misconfigured spambot. I'd firewall and forget. If it turns out they have anything legitimate to say, they can send it through somebody else's working mail server.
 
OP
F

fonz

Son of Beastie

Reaction score: 370
Messages: 2,560

Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

Thanks. vim /etc/pf.conf and service pf restart it is.
 

Chris_H

Daemon

Reaction score: 201
Messages: 1,076

Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

FWIW I see those all the time; in fact, for years. The general consensus is that it's a spam(mer|bot) that attempts to "pipeline" the spam from a dictionary's worth of names it hopes to find on your MX. The problem is; they simply open a connection, expecting to be immediately able to start pumping your MX with DATA. In other words; they never wait for the ACK from your MX. That is what ilicits the EXPN/VRFY from your MX.

HTH

--Chris
 
OP
F

fonz

Son of Beastie

Reaction score: 370
Messages: 2,560

Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

@Chris_H, thanks for the background information.
 
Last edited by a moderator:

Chris_H

Daemon

Reaction score: 201
Messages: 1,076

Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

You're very welcome, @fonz.

Thank you, too. For all the help you've given me, in the past :)

--Chris
 
Last edited by a moderator:

wblock@

Beastie Himself
Developer

Reaction score: 3,682
Messages: 13,851

Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

fonz said:
Thanks. vim /etc/pf.conf and service pf restart it is.
service pf reload reloads the rules without killing existing connections (like the SSH connection you may be using to change them).
 

Chris_H

Daemon

Reaction score: 201
Messages: 1,076

Re: [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" l

Excellent. That's great to know.

Thanks, @wblock@.

--Chris
 
Last edited by a moderator:

fullauto2012

Active Member

Reaction score: 26
Messages: 171

I have had my SMTP server running for 8 hours.
This is how many of these I have.
Is this normal?
is there a better way to keep up with adding all these IPs to my pf.conf that just grepping for them and manually adding?

Code:
root@kif:/usr/local/etc/dovecot # date
Tue Dec 12 09:27:28 EST 2017
root@kif:/usr/local/etc/dovecot # cat /var/log/maillog | grep "did not issue" | cut -d "[" -f 1 -f 3
Dec 12 00:01:00 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:05:06 kif sm-mta[193.70.87.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:09:23 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:13:22 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:17:41 kif sm-mta[95.177.213.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:22:00 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:26:01 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:30:07 kif sm-mta[118.219.45.141] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:34:03 kif sm-mta[178.33.107.200] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:38:12 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:42:33 kif sm-mta[203.191.174.55] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:46:24 kif sm-mta[87.98.131.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:50:39 kif sm-mta[213.156.120.22] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:54:46 kif sm-mta[91.237.124.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 00:58:59 kif sm-mta[91.237.124.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:03:08 kif sm-mta[170.83.76.196] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:07:11 kif sm-mta[175.136.232.97] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:12:49 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:15:34 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:19:48 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:24:04 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:28:07 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:36:36 kif sm-mta[82.185.149.169] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:40:47 kif sm-mta[95.177.213.219] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:44:57 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:49:04 kif sm-mta[185.109.169.71] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:53:13 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 01:57:29 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:01:38 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:05:50 kif sm-mta[200.49.145.161] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:14:13 kif sm-mta[193.70.87.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:18:17 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:22:28 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:26:34 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:30:40 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:38:58 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:43:04 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:47:44 kif sm-mta[137.101.210.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:51:12 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:55:17 kif sm-mta[41.87.95.33] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 02:59:15 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:03:24 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:07:29 kif sm-mta[179.198.169.16] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:11:36 kif sm-mta[191.248.224.38] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:15:39 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:16:49 kif sm-mta[139.162.99.243] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:19:38 kif sm-mta[41.87.95.33] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:23:41 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:31:41 kif sm-mta[178.33.107.200] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:35:54 kif sm-mta[95.59.137.196] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:39:54 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:44:01 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:48:03 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:52:19 kif sm-mta[41.180.72.44] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 03:56:24 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:00:28 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:04:42 kif sm-mta[2.42.219.63] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:08:40 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:12:59 kif sm-mta[120.150.227.127] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:17:02 kif sm-mta[202.131.203.163] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:21:12 kif sm-mta[149.135.117.174] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:25:14 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:29:27 kif sm-mta[188.225.171.58] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:33:33 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:37:43 kif sm-mta[190.25.46.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:41:58 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:45:55 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:54:13 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 04:58:15 kif sm-mta[94.23.73.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:02:29 kif sm-mta[95.59.137.196] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:06:45 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:10:43 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:15:10 kif sm-mta[200.85.52.74] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:19:01 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:23:14 kif sm-mta[190.216.165.6] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:27:21 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:31:36 kif sm-mta[110.145.123.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:35:45 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:36:13 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:40:17 kif sm-mta[88.23.251.86] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:43:53 kif sm-mta[89.96.222.27] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:48:27 kif sm-mta[120.150.227.127] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:52:33 kif sm-mta[110.145.123.120] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 05:56:41 kif sm-mta[94.46.187.190] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:00:55 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:05:12 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:09:21 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:13:48 kif sm-mta[88.23.251.86] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:21:42 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:25:53 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:28:21 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:30:14 kif sm-mta[181.49.39.70] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:31:25 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:34:29 kif sm-mta[82.185.149.169] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:34:43 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:37:59 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:38:32 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:41:16 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:42:44 kif sm-mta[200.105.132.238] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:44:42 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:46:57 kif sm-mta[94.46.187.190] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:48:26 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:51:06 kif sm-mta[170.83.76.196] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:51:51 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:55:11 kif sm-mta[46.102.196.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:55:22 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:58:53 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 06:59:27 kif sm-mta[185.109.169.71] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:02:14 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:03:39 kif sm-mta[2.42.219.63] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:05:41 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:07:35 kif sm-mta[190.223.59.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:09:01 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:12:27 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:15:49 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:15:49 kif sm-mta[86.16.10.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:16:06 kif sm-mta[192.168.1.110] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:18:58 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:19:50 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:22:24 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:24:01 kif sm-mta[118.219.45.141] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:25:52 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:28:08 kif sm-mta[201.33.193.166] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:29:17 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:32:14 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:32:47 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:36:11 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:36:23 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:40:00 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:40:26 kif sm-mta[212.170.109.162] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:43:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:44:19 kif sm-mta[96.84.215.235] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:46:36 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:48:34 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:49:59 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:52:43 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:53:21 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:56:35 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:56:49 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 07:59:48 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:01:01 kif sm-mta[220.130.186.101] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:03:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:05:06 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:06:34 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:09:28 kif sm-mta[24.139.47.5] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:10:02 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:13:23 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:13:24 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:16:46 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:17:35 kif sm-mta[196.38.89.85] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:20:10 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:21:34 kif sm-mta[41.193.16.218] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:23:31 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:25:41 kif sm-mta[220.130.186.101] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:26:57 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:29:46 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:30:18 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:33:40 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:33:47 kif sm-mta[178.90.55.176] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:37:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:37:51 kif sm-mta[65.182.89.4] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:40:33 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:42:08 kif sm-mta[24.139.47.5] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:44:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:46:02 kif sm-mta[190.24.136.122] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:47:43 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:51:14 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:54:18 kif sm-mta[120.150.123.116] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:54:31 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:58:03 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 08:58:47 kif sm-mta[137.101.210.248] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:01:33 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:02:17 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:04:56 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:06:26 kif sm-mta[81.43.76.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:08:30 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:12:04 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:14:40 kif sm-mta[133.130.74.177] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:15:23 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:18:33 kif sm-mta[31.27.32.18] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:18:51 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:22:16 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:22:42 kif sm-mta[187.178.242.154] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:25:42 kif sm-mta[172.82.162.153] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
Dec 12 09:26:47 kif sm-mta[200.35.185.180] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,954
Messages: 11,353

Note that these can also be SMTP AUTH attacks, which will not be logged as such if you have no authentication mechanisms set up. blacklistd(8) will pick them right out for you.

Use something like
Code:
[local]
smtp            stream  *       *               *       3       30d
smtps           stream  *       *               *       3       30d
submission      stream  *       *               *       3       30d
in blacklistd.conf. You must use Sendmail from ports with the blacklistd option activated though.
 

fullauto2012

Active Member

Reaction score: 26
Messages: 171

security/sshguard, security/py-fail2ban, blacklistd(8) (not sure if sendmail(1) has support for this one though).
But, does security/sshguard monitor and help port 25 SMTP?
All I have found is that it works to suppress bruteforce SSH, for which I already have:

Code:
pass in log quick on $ext_if inet proto tcp from any \
        to { $ext_ip, $localnet } port (OMIT) \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 3/9, \
        overload <bruteforce> flush global)
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,954
Messages: 11,353

sshguard (or Fail2Ban) will not catch these, no; these attacks need to be signalled by the abused application itself, and Sendmail with the blacklistd flag set will actively signal blacklistd to tally an ongoing attack. Sendmail without authentication mechanisms will not log this as an authentication attempt.
 

fullauto2012

Active Member

Reaction score: 26
Messages: 171

I am setting up my very FIRST email server. So to say that most of this is over my head is an understatement. EG, although I technically have a working SMTP and POP3, I am still confused as to how this all works. For instance, I am completely confused as to how to configure SMTP authorization and what/how TLS works and why. Is there any 'cut to the chase' documentation either our you can point me to so that I am not forever embarrassing myself on this forum.

What I would like to accomplish by hosting my own email server is to become fairly proficient at installing/configuring sendmail and dovecot while understanding the different auth mechanisms and encryption. In short, I would eventually like to become as well versed at all aspects of FreeBSD hosting as you guys. And I LOVE to read technical documents (it's both a blessing and a curse).
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,954
Messages: 11,353

There is no simple shortcut for reading /usr/share/sendmail/cf/README, and testing with /etc/mail/${hostname}.mc followed by a make all install restart and a tail -f /var/log/maillog. If you want to play with authentication, you will have to use mail/sendmail or package sendmail+tls+sasl2-8.15.2_3.

TLS is mostly out of the box nowadays, unless you want domain-specific certificates. A standard install will put something like this in your .mc file:
Code:
dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
and it will pre-populate your /etc/mail/certs/ directory -- this will enable TLS without too much ado.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,282
Messages: 33,825

But, does security/sshguard monitor and help port 25 SMTP?
It can monitor a variety of services, not just SSH.
https://www.sshguard.net/docs/reference/attack-signatures/

sshguard (or Fail2Ban) will not catch these, no;
Not sure if sshguard will catch this specific attack but Fail2Ban can certainly be made to detect them. In this respect Fail2Ban may actually be the best choice as you can create your own detection rules and trigger on custom events.
 

fullauto2012

Active Member

Reaction score: 26
Messages: 171

This is going to come off as a bit juvenile, but how is the overhead on Fail2Ban? This rig is is already painfully slow responding to POP3/SMTP as it is.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,282
Messages: 33,825

Not that much, but it's going to depend on the number and complexity of the rules. It does have a bunch of Python dependencies though.

This rig is is already painfully slow responding to POP3/SMTP as it is.
That may be the result of all the scans and attempts to relay or bruteforce. Blocking those may improve the situation.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,954
Messages: 11,353

I'm pretty sure Fail2Ban will not detect login attempts on a Sendmail installation without SASL or other authentication mechanisms. It is simply not logged as anything other than a 'sudden disconnect'.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,954
Messages: 11,353

No, that's exactly the message I was referring to; it is impossible to deduct from that error message that it was in fact a failed authentication attempt against a non-authenticating Sendmail - the exact same error message is produced by e.g. a Zabbix agent that queries the host for the availability of port 25 or by a port scan for ports like 25 or 587. Triggering a block on the mere presence of "MAIL/EXPN/VRFY/ETRN" in a maillog will lead to "interesting false positives", and I've been there .. So be careful out there ..
 

Chris_H

Daemon

Reaction score: 201
Messages: 1,076

fullauto2012 ,
I feel your pain! I've been fighting serious MX abuse for about 4 half mos, now. In that time I have accumulated ~12 million SPAM/ABUSE sources! Who knew I'd be such a popular target! :p
Anyway I swear by pf(4) as the difinitive defense against NET related abuse. Not only does it turn the abusers off, it squelches all (most) of the noise in your log(s), and trims traffic; giving you more of that pipe for yourself. Anyway I'll try to give some clues to creating the necessary pf(4) stuff you'll need/want, as well as some scripting to help you automate the entire process. :)
first up; you'll want to gather the offending IP's from your maillog, without plucking them out manually in your log viewer.
Based on the log output you've posted here; the following should do it for you:
Code:
#!/bin/sh -

cat /var/log/maillog | grep 'did not issue' | awk '{print $5;}' | sed 's/sm-mta\[//' | sed 's/\]//' | sort -t. +0 -1n +1 -2n +2 -3n +3 -4n | uniq >./SPAMMERS
I'd strongly recommend running this from the /tmp folder/directory. So you can experiment, and ensure that it's capturing the addresses properly. If all goes well. Report back, and we'll move on to the next step(s); a pf.conf(5) file, and all the related goodies. OH! I mean report back regardless. :)
Ultimately, the above script will gather all the offending IP's, and sort them in a more readable fashoin, where we can ultimately add them to a TABLE for pf(4) to read, so it can deal with them in a manner you find appropriate. :D

HTH

--Chris
 

stparvu

New Member


Messages: 2

fullauto2012 ,

first up; you'll want to gather the offending IP's from your maillog, without plucking them out manually in your log viewer.
Based on the log output you've posted here; the following should do it for you:
Code:
#!/bin/sh -

cat /var/log/maillog | grep 'did not issue' | awk '{print $5;}' | sed 's/sm-mta\[//' | sed 's/\]//' | sort -t. +0 -1n +1 -2n +2 -3n +3 -4n | uniq >./SPAMMERS
Should be:

Code:
cat /var/log/maillog | grep 'did not issue' | awk '{print $7;}' | sed 's/\[//;s/\]//' | sort -t. +0 -1n +1 -2n +2 -3n +3 -4n | uniq > ./SPAMMERS
right ?

This will return a list of IPs and FQDN names to feed pf. Some questions:

* what is the most recommended way, which packet filtering firewall to use in FreeBSD 12 ? pf ?

* how can u automate and feed pf or other friends such list of IPs

Fighting spam is always fun and instructive :)
 

trev

Aspiring Daemon

Reaction score: 223
Messages: 925

In the never-ending quest to squelch spam, I wrote a sendmail(8) milter (in C) which checks the relay hostname during incoming mail transactions against the regular expression patterns stored in the configuration file and can DISCARD/TEMPFAIL/REJECT the connection per pattern. New patterns can be added without restarting the milter or sendmail(8). If anyone is interested in the source PM me.

Examples from the man page:

Code:
# Reject relay hostnames matching these regular expressions
[a-z]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3} REJECT
^[0-9]{1,7}hfc[0-9]{1,3}[-.]           REJECT
It has run successfully on my FreeBSD systems for some years, and on a couple of high-volume university Solaris and Linux mail servers without issue.
 
Top