Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suspicious mail server log entries

At 8:24 PM -0500 1/30/06, Charles Yeomans wrote: 
On Jan 30, 2006, at 5:25 PM, Dan Shoop wrote:

At 2:14 PM -0500 1/30/06, Charles Yeomans wrote:
I'm seeing some regular entries in my mail server log like the following; perhaps someone better understands what's being attempted here.

Jan 30 12:58:50 FileServer postfix/smtpd[4488]: connect from 15.red-213-96-45.staticip.rima-tde.net[213.96.45.15]
Jan 30 12:58:50 FileServer postfix/smtpd[4488]: DF5955F64D5: client=15.red-213-96-45.staticip.rima-tde.net[213.96.45.15]
Jan 30 12:58:51 FileServer postfix/cleanup[4489]: DF5955F64D5: message-id=<email@hidden>
Jan 30 12:58:52 FileServer postfix/qmgr[19245]: DF5955F64D5: from=<email@hidden>, size=24247, nrcpt=1 (queue active)
Jan 30 12:58:52 FileServer postfix/smtpd[4541]: connect from xserve.desuetude.com[192.168.0.253]
Jan 30 12:58:52 FileServer postfix/smtp[4540]: warning: host xserve.desuetude.com[192.168.0.253] greeted me with my own hostname desuetude.com
Jan 30 12:58:52 FileServer postfix/smtp[4540]: warning: host xserve.desuetude.com[192.168.0.253] replied to HELO/EHLO with my own hostname desuetude.com
Jan 30 12:58:52 FileServer postfix/smtp[4540]: DF5955F64D5: to=<email@hidden>, relay=xserve.desuetude.com[192.168.0.253], delay=2, status=bounced (mail for mail.desuetude.com loops back to myself)
Jan 30 12:58:52 FileServer postfix/smtpd[4541]: lost connection after EHLO from xserve.desuetude.com[192.168.0.253]
Jan 30 12:58:52 FileServer postfix/smtpd[4541]: disconnect from xserve.desuetude.com[192.168.0.253]
Jan 30 12:58:52 FileServer postfix/cleanup[4489]: DD4895F64D7: message-id=<email@hidden>
Jan 30 12:58:52 FileServer postfix/qmgr[19245]: DD4895F64D7: from=<>, size=25905, nrcpt=1 (queue active)
Jan 30 12:58:53 FileServer postfix/smtpd[4488]: disconnect from 15.red-213-96-45.staticip.rima-tde.net[213.96.45.15]
Jan 30 12:58:54 FileServer postfix/smtp[4543]: DD4895F64D7: to=<email@hidden>, relay=mail.jumpy.it[213.215.144.26], delay=2, status=sent (250 <43DB1B5D00211060> Mail accepted)

Presumably the evil initiator of the connection is trying to pass himself off as my server. And I'm hoping that the last line is my server bouncing the mail back to the stated return address.

I'm running OS X Server 10.3.9, using Kerberos for SMTP authorization and SMTP relay limited to localhost; is there something else to be doing? 

Who is 192.168.0.253???
--

That's the behind-the-NAT address of my server; xserve.desuetude.com is mapped to it by internal DNS.

Then your mail set up is misconfigured. Or your hostname is wrong. Depends on which way you want to look at it.
--

-dhan

------------------------------------------------------------------------
Dan Shoop                                                   AIM: iWiring
Systems & Networks Architect                     http://www.iwiring.net/
email@hidden                                 http://www.ustsvs.com/
1-646-217-4725

pgp key fingerprint: FAC0 9434 B5A5 24A8 D0AF  12B1 7840 3BE7 3736 DE0B

iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >suspicious mail server log entries (From: Charles Yeomans <email@hidden>)
 >Re: suspicious mail server log entries (From: Dan Shoop <email@hidden>)
 >Re: suspicious mail server log entries (From: Charles Yeomans <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.