Re: Is there a way to enable logging 5xx status codes?

Thu, 11 Dec 2014 13:53:14 -0800 

On 12/10/2014 6:26 PM, wie...@porcupine.org (Wietse Venema) wrote:

deoren:

If I enable the options for 'notify_classes' then I'll get a Postmaster
email which contains the server response to the client:

503 5.5.1 Error: authentication not enabled


So, why do you worry about this, given that AUTH is not enabled?


Thanks for the reply!
I have two servers, one where AUTH _is_ enabled and this particular one that is receiving the AUTH attempts where AUTH currently is not enabled. It will however be reconfigured at some point in the future to allow remote AUTH. Before I enable it, I was going to enhance the existing fail2ban rules to counter the blatant abuse attempts and this seemed like a good example to look at. 




Can I enable logging that message for the client, or maybe just the '503
5.5.1' portion of it?


No. Logging bad commands is unsafe - the volume of logging can
easily exceed the network bandwidth. Adding a logging option for
individual Postfix responses would be a lot of work for little
benefit.
Re volume of logging, I see your point. However just to make sure I was clear, I'm just interested in having connection attempts like this:
Dec 9 18:00:30 switchfoot postfix/smtpd[14627]: connect from wpc0243.host7x24.com[62.193.232.20] Dec 9 18:00:30 switchfoot postfix/smtpd[14627]: lost connection after RSET from wpc0243.host7x24.com[62.193.232.20] Dec 9 18:00:30 switchfoot postfix/smtpd[14627]: disconnect from wpc0243.host7x24.com[62.193.232.20]
include something similar to either of these lines below prior to line three in the connection attempt noted above:
Dec 9 18:00:30 switchfoot postfix/smtpd[14627]: 503 5.5.1 Error: authentication not enabled for wpc0243.host7x24.com[62.193.232.20]
Dec 9 18:00:30 switchfoot postfix/smtpd[14627]: 503 5.5.1 lost connection after RSET from wpc0243.host7x24.com[62.193.232.20]
I understand that in this particular case I can tune the fail2ban rule to the frequency of the attempts, but having the specific code to key off of (possibly in addition to the frequency) seemed like a safer approach.

Reply via email to