Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved "Too many unrecognized commands" in email server

    Support
    mail
    2
    4
    245
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • d19dotca
      d19dotca last edited by girish

      I did a search but don't see any posts yet on Too many unrecognized commands. I recently found two log entries today back to back on the "Denied" filter. What does this mean, out of curiosity? I've never seen it before.

      Connection from 192.210.232.91 denied. Too many unrecognized commands

      Here's a sample log entry for it:

      {
        "ts": 1616817378209,
        "type": "denied",
        "direction": "inbound",
        "uuid": "",
        "remote": {
          "ip": "192.210.232.91",
          "port": 57734,
          "host": "192-210-232-91-host.colocrossing.com",
          "info": "192-210-232-91-host.colocrossing.com",
          "closed": false,
          "is_private": false,
          "is_local": false
        },
        "authUser": null,
        "mailFrom": null,
        "rcptTo": null,
        "details": {
          "relaying": false,
          "pluginName": "limit",
          "errorCode": 909,
          "message": "Too many unrecognized commands",
          "rejectionCountLastHour": 0
        }
      }
      

      Judging by the host name, it seems spammy in nature.

      I read http://www.experts123.com/q/what-does-the-error-too-many-unrecognized-commands-mean.html and https://wiki.contribs.org/Qpsmtpd:count_unrecognized_commands and they seems to suggest the root cause is abuse coming from an HTTP proxy / server to my mail server.

      Is this something I need to be concerned with, or anything I need to do at this point? Or is it basically fully handled by Haraka so no need to go further on it? Just trying to determine if I need to have a bit of a backup plan in case it continues or gets worse down the road.

      (maybe this should be under the Discussion category, wasn't certain)

      --
      Dustin Dauncey
      www.d19.ca

      girish 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @d19dotca last edited by

        @d19dotca That string comes from the limit plugin we use in Haraka - https://github.com/haraka/haraka-plugin-limit#unrecognized_commands . Usually, it is a mail client connecting to the server and sending commands that the server is not expecting. It's hard to tell from the log itself as to what the commands are, one has to look into the logs and sometimes one has to raise haraka debug level to data (but these cause logs to be super verbose).

        d19dotca 1 Reply Last reply Reply Quote 1
        • d19dotca
          d19dotca @girish last edited by

          @girish said in "Too many unrecognized commands" in email server:

          https://github.com/haraka/haraka-plugin-limit#unrecognized_commands

          Awesome. Thanks Girish. I guess that's good then, sounds like it's doing it's job properly so I won't worry too much. I was just wondering if I needed a bit of a "backup plan" in case it got worse or indicated a kind of "attack", but seems that may not be the case as I haven't seen too many of them yet, just a handful.

          --
          Dustin Dauncey
          www.d19.ca

          girish 1 Reply Last reply Reply Quote 0
          • girish
            girish Staff @d19dotca last edited by

            @d19dotca it's not a problem. Just the natue of any service being exposed to the internet. There a bots, misconfigured services, compromised iot devices doing all sorts of things. Nothing to worry.

            1 Reply Last reply Reply Quote 2
            • First post
              Last post
            Powered by NodeBB