Re: Is there a way to enable logging 5xx status codes?

Thu, 11 Dec 2014 14:27:39 -0800 

On 12/11/2014 3:51 PM, deoren wrote:
> On 12/10/2014 6:26 PM, wie...@porcupine.org (Wietse Venema) wrote:
>> deoren:
>>> If I enable the options for 'notify_classes' then I'll get a
>>> Postmaster
>>> email which contains the server response to the client:
>>>
>>> 503 5.5.1 Error: authentication not enabled
>>
>> So, why do you worry about this, given that AUTH is not enabled?
> 
> Thanks for the reply!
> 
> I have two servers, one where AUTH _is_ enabled and this particular
> one that is receiving the AUTH attempts where AUTH currently is not
> enabled. It will however be reconfigured at some point in the future
> to allow remote AUTH. Before I enable it, I was going to enhance the
> existing fail2ban rules to counter the blatant abuse attempts and
> this seemed like a good example to look at.
> 
>>


This seems like exactly the kind of thing the logging enhancement
made with the 20140801 snapshot helps. This will log either
"unknown" commands or failed auth attempts, depending on whether
AUTH is offered/enabled.

This will be included in postfix 2.12 when it's released

>From the RELEASE_NOTES:

++++++

Major changes with snapshot 20140801
====================================

The Postfix SMTP server now logs at the end of a session how many
times an SMTP command was successfully invoked, followed by the
total number of invocations if it is different.

This logging will often be enough to diagnose a problem without
verbose logging or network sniffer.

    Normal session, no TLS:
        disconnect from name[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1

    Normal session. with TLS:
        disconnect from name[addr] ehlo=2 starttls=1 mail=1 rcpt=1
data=1 quit=1

    All recipients rejected, no ESMTP command pipelining:
        disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 quit=1

    All recipients rejected, with ESMTP command pipelining:
        disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 data=0/1
rset=1 quit=1

    Password guessing bot, hangs up without QUIT:
        disconnect from name[addr] ehlo=1 auth=0/1

    Mis-configured client trying to use TLS wrappermode on port 587:
        disconnect from name[addr] unknown=0/1

Logfile analyzers can trigger on the presence of "/". It indicates
that Postfix rejected at least one command.

++++++



  -- Noel Jones

Reply via email to