On 11/7/2012 10:50 AM, Nikolaos Milas wrote: > On 7/11/2012 6:10 μμ, /dev/rob0 wrote: > >> Is this a submission port (587) or smtp (25)? You should use "-o >> syslog_name=postfix/submission" for submission in master.cf, to >> distinguish logging of smtp vs. submission. > > Thanks for the reply. > > I do; this is smtp, not submission. > >> ISTM that if submission, and if Linux, some relatively simple >> iptables -m recent rules might provide some protection by rate >> limiting the number of new connections from one host. (That's my new >> idea for the day. I might not be awake enough yet. :) ) >> > > I decided to expand my fail2ban filtering as follows: > > failregex = reject: RCPT from (.*)\[<HOST>\]: 550 > reject: RCPT from (.*)\[<HOST>\]: 554 > reject: RCPT from (.*)\[<HOST>\]: 450 > too many errors after AUTH from (.*)\[<HOST>\] > > This works, but I am not sure if I should do it or not. > > Any other feedback regarding this situation will be useful. > > Regards, > Nick
The "too many errors after AUTH" implies an AUTH command was sent (info earlier in the log if it was successful or not), THEN the client sent enough junk to exceed either $smtpd_junk_command_limit or $smtpd_hard_error_limit. Seems to me that this is some sort of broken client, not necessarily a break-in attempt. Of course, broken client usually means a spambot. You can check your log for things like "authentication failed" for a failed AUTH, or "sasl_username=" when successful.My fail2ban filter contains: warning: .*\[<HOST>\](?::\d+)?: SASL \S+ authentication failed: As for blocking "too many errors after AUTH" hosts, that probably won't break anything, but not sure I'd bother unless they get really annoying. -- Noel Jones
