secure log shows large amount of smtp entries

[ssiAdmin]

I'm tailing my /var/log/secure file and watching as ip after ip creates a new entry. I do a look up on those entries and most are from outside the US.

Most of my customers are US based (we do have some international customers). I don't think it would be out of the ordinary to have people sending mail from outside the US but not in this quantity. I have a feeling there is a form injection or something going on somewhere.

What I'm trying to learn is... what is considered normal? I know that deends on a lot of variable so I am not expecting a definitive answer. I have about 165 sites on this server. Only a few are what I would consider high traffic. Even those are not doing the 1TB of transfer some of my other sites on different servers are doing.

Should I expect to see a new entry in my secure log about once per second?
Art

 

[atomicturtle]

Those are inbound connections, part of that will be spam, or bots looking for open relays. The rest is mail coming in to the system.

 

[ssiAdmin]

Makes sense. Other people's smpt servers connecting to our MTA. OK I understand. Sorry we were blacklisted last week and I am a little paranoid. It's been three years + since I had any servers on a blacklist. Major hassle for everyone involved.

One more question. I have a connection from Research in Motion (the BlackBerry folks) that tunnel's to us. Any reason why they would stunnel and not use an smtp connection?

I appreciate your help,
Art

 

[atomicturtle]

The mail server supports encrypted email (TLS on both 25 and 465) so no. Presumably though, this is stunnel running on your system? If so I'd be asking myself why I did that