Admin Beckspaced via Postfix-users:
> dear postfix users,
>
> since the recent SMTP smuggling issue I applied the short term
> workaround by setting smtpd_forbid_unauth_pipelining = yes
>
> I also do a daily scan on journalctl with some keywords, e.g. 'pipelining'
>
> the following showed up this morning.
>
> do i need to be worried?
>
> thanks
> & greetings
> Becki
>
>
> Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command
> pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]:
> \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200
>
That looks like a TLSv1.2 client hello packet.
Octal \026 (hex 0x16) = handshake
Octal \003\003 (hex 0x0303) = TLSv1.2
Presumably the client is confusing port 587 (plaintext, with explicit
STARTTLS) and 465 (implicit TLS).
Postfix logs "after CONNECT" because this is the first thing that the client
sent
after CONNECTing to Postfix.
No harm is done, just wasting a few bits in ther log.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
