[quoted text, click to view] > When I look at the SMTP Connections I can see 50-57 connections
> established at any given time, without them relaying through my
> server. Are they "acknowledging our presence" as a MX source? If
> not, what do they represent.
Without looking at your logs, couldn't say which of these connections
are legit and which suspect. Do your logs show attempts to harvest
local usernames (sessions that end after a list of RCPT TOs to users @
your local domains) and/or attempts to relay (sessions that have RCPT
TOs @ remote, non-relay domains) with any frequency? Both will create
connections with no resulting message and so may seem gratuitous
relative to the size of your queue.
There's no such thing as an "acknowledgement" or "heartbeat"
connection from remote servers. Inbound connections are either
currently attempting to send data to you, or have finished sending
data and are pending closure by the TCP/IP stack. Note that because of
the second factor, depending on what utility you're using to get
connection stats, you may appear to have more inbound connections than
are actually active. On very high-traffic servers, the
half-closed/time_wait connections are found in correspondingly high
numbers and can suck up resources.
The closest one might find in your logs to an innocent
"acknowledgement" session is a sender address verification (SAV)
callback. Remote servers that use SAV will poke back into your MX to
ensure that a sender address exists. Frustratingly -- unless you do
log correlation to find the outbound connection that prompted the SAV
callback -- these connections look like one-off directory harvesting
attacks. [Reading the fine print can also help you tell them apart:
for example, SAV callbacks may use sender addresses like
"postmaster.sav.callback@example.com" to give you a visual cue.]
