I have a proxy filter in front of Postfix. Postfix is listening on the localhost. The filter is sending EHLO and XCLIENT to Postfix. The reason I am trying xclient is to get more information in Postfix's logs.
I'm now getting a significant quantity of brute-force and formerly hacked password login attempts. As a result, I have a number of log entries similar to: Apr 8 16:59:25 bubba assp/smtpd[7152]: connect from localhost[127.0.0.1] Apr 8 16:59:29 bubba assp/smtpd[7152]: warning: localhost[127.0.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 8 16:59:29 bubba assp/smtpd[7152]: lost connection after AUTH from localhost[127.0.0.1] Apr 8 16:59:29 bubba assp/smtpd[7152]: disconnect from localhost[127.0.0.1] With xclient enabled (it is sent immediately after the EHLO response), my log is now: Apr 8 17:02:31 bubba assp/smtpd[7414]: connect from localhost[127.0.0.1] Apr 8 17:02:35 bubba assp/smtpd[7414]: warning: unknown[110.53.26.206]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Apr 8 17:02:35 bubba assp/smtpd[7414]: lost connection after AUTH from unknown[110.53.26.206] Apr 8 17:02:35 bubba assp/smtpd[7414]: disconnect from unknown[110.53.26.206] This is much better. My remaining question is - is there a way I can get even that first connection line to reference the remote IP? -- Daniel
