Re: Is there a way to enable logging 5xx status codes?

Thu, 11 Dec 2014 16:40:53 -0800 

On 12/11/2014 4:26 PM, Noel Jones wrote:

On 12/11/2014 3:51 PM, deoren wrote:

On 12/10/2014 6:26 PM, wie...@porcupine.org (Wietse Venema) wrote:

deoren:

If I enable the options for 'notify_classes' then I'll get a
Postmaster
email which contains the server response to the client:

503 5.5.1 Error: authentication not enabled


So, why do you worry about this, given that AUTH is not enabled?


Thanks for the reply!

I have two servers, one where AUTH _is_ enabled and this particular
one that is receiving the AUTH attempts where AUTH currently is not
enabled. It will however be reconfigured at some point in the future
to allow remote AUTH. Before I enable it, I was going to enhance the
existing fail2ban rules to counter the blatant abuse attempts and
this seemed like a good example to look at.






This seems like exactly the kind of thing the logging enhancement
made with the 20140801 snapshot helps. This will log either
"unknown" commands or failed auth attempts, depending on whether
AUTH is offered/enabled.

This will be included in postfix 2.12 when it's released

 From the RELEASE_NOTES:

++++++

Major changes with snapshot 20140801
====================================

The Postfix SMTP server now logs at the end of a session how many
times an SMTP command was successfully invoked, followed by the
total number of invocations if it is different.

This logging will often be enough to diagnose a problem without
verbose logging or network sniffer.

     Normal session, no TLS:
         disconnect from name[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1

     Normal session. with TLS:
         disconnect from name[addr] ehlo=2 starttls=1 mail=1 rcpt=1
data=1 quit=1

     All recipients rejected, no ESMTP command pipelining:
         disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 quit=1

     All recipients rejected, with ESMTP command pipelining:
         disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 data=0/1
rset=1 quit=1

     Password guessing bot, hangs up without QUIT:
         disconnect from name[addr] ehlo=1 auth=0/1

     Mis-configured client trying to use TLS wrappermode on port 587:
         disconnect from name[addr] unknown=0/1

Logfile analyzers can trigger on the presence of "/". It indicates
that Postfix rejected at least one command.

++++++



   -- Noel Jones
That's great news, thanks Noel. I'm using a distro that won't have that version of Postfix available for a while; it's tempting to look at building from source just for that feature.

Reply via email to