On 7/11/2012 6:10 μμ, /dev/rob0 wrote:
Is this a submission port (587) or smtp (25)? You should use "-o syslog_name=postfix/submission" for submission in master.cf, to distinguish logging of smtp vs. submission.
Thanks for the reply. I do; this is smtp, not submission.
ISTM that if submission, and if Linux, some relatively simple iptables -m recent rules might provide some protection by rate limiting the number of new connections from one host. (That's my new idea for the day. I might not be awake enough yet. :) )
I decided to expand my fail2ban filtering as follows: failregex = reject: RCPT from (.*)\[<HOST>\]: 550 reject: RCPT from (.*)\[<HOST>\]: 554 reject: RCPT from (.*)\[<HOST>\]: 450 too many errors after AUTH from (.*)\[<HOST>\] This works, but I am not sure if I should do it or not. Any other feedback regarding this situation will be useful. Regards, Nick
