KB Article #70042

How to check MailGate logs for DHA and DoS attacks

Problem

-- DHA
-- DoS
-- attack
-- logs



How can I check MailGate logs for DHA and/or DoS attacks?


Resolution

Firstly, you should check if MailGate DoS and DHA defence settings are properly set. In order to do that, open MailGate Admin UI and navigate to



Relay Policies -> Defense Settings -> DoS



or



Relay Policies -> Defense Settings -> DHA



and check that defenses are enabled (by default they are) and settings for them are correct.



Then navigate to



Monitor -> Troubleshooting -> Tools



and under "Logs" tab, select from "Log File" drop-down menu "Mail Log". Download the log file by clicking on the "Download Log File" button.



The downloaded mail log file is a flat plain text human readable file and is best viewed with a simple text editor like Notepad or Notepad++.



Open the log file and search in-there for records like the ones shown below:



mail:Apr  5 15:09:17 mg-test-381 postfix/smtpd[26343]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]
mail:Apr  5 15:09:19 mg-test-381 postfix/smtpd[26478]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]
mail:Apr  5 15:09:22 mg-test-381 postfix/smtpd[26343]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]
mail:Apr  5 15:09:27 mg-test-381 postfix/smtpd[26478]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]
mail:Apr  5 15:09:32 mg-test-381 postfix/smtpd[26343]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]
mail:Apr  5 15:09:37 mg-test-381 postfix/smtpd[26478]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]
mail:Apr  5 15:09:42 mg-test-381 postfix/smtpd[26343]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]
mail:Apr  5 15:09:47 mg-test-381 postfix/smtpd[26478]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]
mail:Apr  5 15:09:52 mg-test-381 postfix/smtpd[26802]: 421 Service not available, closing transmission channel after CONNECT from unknown[192.168.1.1]



These lines, in short succession, in mail log file correspond to MailGate handling of DOS and DHA, namely by sending the error below



421 Service not available



to the respective party trying to initiate connection after which the connection is closed.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.