On 2014-07-29 22:17, wie...@porcupine.org wrote:
Anders Wegge Keller:
My analysis is that the remote system is making a dictionary
attack, to try
and see if it's possible to relay mail through my server that way.
Unfortunately (for the spammer), postfix is configured with
smtpd_tls_auth_only = yes, so the connection is rejected. However,
mail.info
can grow rather large, so I would like to have a sure-fire trigger
in the
log, that I can use to put an iptable block in place with fail2ban.
So my question is: Is it possible to get a log entry for remote
systems
that tries do AUTH without having issued STARTTLS first?
No. If a command is disabled or unknown then Postfix does not log
it. That could fill the logfile quickly.
Yes, I can see that with my own logfile.
...
That would make failed AUTH commands easy to recognize, and
in many cases help to diagnose trouble without having to
turn on Postfix verbose logging.
I'm looking forward to that change.
Thanks for the answer!
--
//Wegge
