Port 25 Connections Unknown - Should I Worry?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
themetman
Posts: 14
Joined: Tue Sep 30, 2014 12:37 pm
ZCS/ZD Version: ZDesktop 7.3.1 ZCS 8.8.10
Contact:
Contact themetman

Port 25 Connections Unknown - Should I Worry?

Post by themetman »

Should I be concerned.
I am running zcs opensource version 8.8.10 on Ubuntu 16.04lts
In my /var/log/zimbra.log I am getting connections from unknown IPs to port 25
Here is an example

Code: Select all

Apr 30 06:04:21 mx1 postfix/anvil[25407]: statistics: max connection rate 1/60s for (smtpd:85.234.126.92) at Apr 30 05:54:30
Apr 30 06:04:21 mx1 postfix/anvil[25407]: statistics: max connection count 1 for (smtpd:85.234.126.92) at Apr 30 05:54:30
Apr 30 06:04:21 mx1 postfix/anvil[25407]: statistics: max cache size 4 at Apr 30 05:58:17
.......
Apr 30 06:04:48 mx1 postfix/postscreen[25405]: CONNECT from [213.221.224.122]:58241 to [MyInternalIP]:25
Apr 30 06:04:48 mx1 postfix/postscreen[25405]: PREGREET 11 after 0.06 from [213.221.224.122]:58241: EHLO User\r\n
Apr 30 06:04:48 mx1 postfix/smtpd[4021]: connect from 213-221-224-122.static.ftth.fcom.ch[213.221.224.122]
Apr 30 06:04:48 mx1 postfix/smtpd[4021]: disconnect from 213-221-224-122.static.ftth.fcom.ch[213.221.224.122] ehlo=1 quit=1 commands=2
Apr 30 06:04:55 mx1 postfix/postscreen[25405]: CONNECT from [85.234.126.92]:59355 to [MyInternalIP]:25
Apr 30 06:04:56 mx1 postfix/postscreen[25405]: PREGREET 11 after 0.15 from [85.234.126.92]:59355: EHLO User\r\n
Apr 30 06:04:56 mx1 postfix/smtpd[4021]: warning: hostname empty.stranzit.ru does not resolve to address 85.234.126.92: Name or service not known
Apr 30 06:04:56 mx1 postfix/smtpd[4021]: connect from unknown[85.234.126.92]
Apr 30 06:04:56 mx1 postfix/smtpd[4021]: disconnect from unknown[85.234.126.92] ehlo=1 quit=1 commands=2
I have implemented a firewall and Fail2Ban on my server using info from various locations. I have also trawled this forum.
I have also setup DosFilter using https://www.missioncriticalemail.com/20 ... -together/.

Here is my Fail2Ban filter. Is it correct?

Code: Select all

# Fail2Ban configuration file

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
                        ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
                        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
                        WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
                        NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
# 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
I can block these IPs on my router, but do I need to keep blocking I see getting through?

Thanks
Top
Post Reply

Return to “Administrators”