Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM SMTP Relay - SMTP Connection lost

Indimundur

Moin geehrte Kolleginnen und Kollegen,

 

generell ist das Relay einsatzbereit und spricht mit zwei internen Mailservern (einmal Exchange, einmal Postfix).

Aus Interesse habe ich mal in den Livelog gesehen und folgendes gesehen:

2020:07:29-15:24:20 hq-1 exim-in[19448]: 2020-07-29 15:24:20 SMTP connection from [52.141.62.18]:49935 (TCP/IP connection count = 1)
2020:07:29-15:24:21 hq-1 exim-in[31600]: 2020-07-29 15:24:21 SMTP connection from (JJ0sZo3BM6) [52.141.62.18]:49935 lost
2020:07:29-15:24:21 hq-1 exim-in[19448]: 2020-07-29 15:24:21 SMTP connection from [52.141.62.18]:50035 (TCP/IP connection count = 1)
2020:07:29-15:24:21 hq-1 exim-in[19448]: 2020-07-29 15:24:21 SMTP connection from [103.151.122.57]:31488 (TCP/IP connection count = 2)
2020:07:29-15:24:22 hq-1 exim-in[31606]: 2020-07-29 15:24:22 SMTP connection from (6pdQirEzP) [52.141.62.18]:50035 lost
2020:07:29-15:24:22 hq-1 exim-in[19448]: 2020-07-29 15:24:22 SMTP connection from [52.141.62.18]:50134 (TCP/IP connection count = 2)
2020:07:29-15:24:22 hq-1 exim-in[31608]: 2020-07-29 15:24:22 SMTP connection from (User) [103.151.122.57]:31488 closed by QUIT
2020:07:29-15:24:22 hq-1 exim-in[31611]: 2020-07-29 15:24:22 SMTP connection from (7k35RK) [52.141.62.18]:50134 lost
2020:07:29-15:24:23 hq-1 exim-in[19448]: 2020-07-29 15:24:23 SMTP connection from [52.141.62.18]:50228 (TCP/IP connection count = 1)
2020:07:29-15:24:23 hq-1 exim-in[31616]: 2020-07-29 15:24:23 SMTP connection from (ZtKVpwGgxL) [52.141.62.18]:50228 lost
2020:07:29-15:24:24 hq-1 exim-in[19448]: 2020-07-29 15:24:24 SMTP connection from [52.141.62.18]:50318 (TCP/IP connection count = 1)
2020:07:29-15:24:24 hq-1 exim-in[31620]: 2020-07-29 15:24:24 SMTP connection from (JiVUAkwRn) [52.141.62.18]:50318 lost
 
oder auch
 
2020:07:29-15:23:36 hq-1 exim-in[19448]: 2020-07-29 15:23:36 SMTP connection from [141.101.66.103]:38390 (TCP/IP connection count = 1)
2020:07:29-15:23:36 hq-1 exim-in[30875]: 2020-07-29 15:23:36 SMTP connection from [141.101.66.103]:38390 lost
 

Die IPs gehören wohl einmal Cloudflare und einmal Microsoft Korea.

Bei Cloudflare wundert mich das, da die meines Wissens nur http/s Traffic routen und kein MX Traffic.

Warum wird die Verbindung geschlossen bzw. von wem?

Gruß, Patrick



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Patrick,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Sometimes, I see two or three such "lost" connections before a successful one from the same IP.  Is no mail coming through?

    In any case, I think it's the sender that breaks it off.  It would be interesting to know though.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hallo Patrick,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Sometimes, I see two or three such "lost" connections before a successful one from the same IP.  Is no mail coming through?

    In any case, I think it's the sender that breaks it off.  It would be interesting to know though.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    > Sometimes, I see two or three such "lost" connections before a successful one from the same IP.  Is no mail coming through?

    Wenn manchmal sowas passiert, interessiert mich das so lange nicht, bis aktiv ein Ticket bei uns in der IT geöffnet wird.

     

    > In any case, I think it's the sender that breaks it off.  It would be interesting to know though.

    Wenn der Absender viele Male pro Minute "anruft und wieder auflegt" erkenne ich den Nutzen dahinter nicht. Da es einmal Cloudflare ist und einmal koreanisches Microsoft, verstehe ich das noch weniger.

     

    Man könnte auch sagen "Pfeif drauf solange es keinen Schaden/Last verursacht!", aber ich will es dennoch verstehen, was da passiert und ob da möglicherweise was größeres dahintersteckt (von Konfigurationsproblem bis Angriffe).

     

Unfiltered HTML