On Thu, October 8, 2015 12:42 am, Viktor Dukhovni wrote: > On Thu, Oct 08, 2015 at 12:34:25AM +1100, Voytek wrote: > > >> it looks like I have a couple of compromised user accounts on one of >> the domains on this server, I've changed the user password then even >> deleted the user (through postfixadmin) but that didn't help..? I can >> see in the log this: >> >> Oct 8 00:27:57 emu postfix/smtpd[7655]: 87E6B5E791: >> client=unknown[104.200.78.121], sasl_method=LOGIN, >> sasl_username=c...@dom.org.au Oct 8 00:27:58 emu postfix/smtpd[7678]: >> 645845FCCE: >> client=unknown[104.200.78.121], sasl_method=LOGIN, >> sasl_username=b...@dom.org.au >> >> I've also tried adding to main.cf this "check_sasl_access >> hash:/etc/postfix/sasl_access" >> >> >> # cat /etc/postfix/sasl_access >> cas HOLD bank HOLD cas...@dom.org.au HOLD bankst...@dom.org.au HOLD > > Notice that the logs say "c...@dom.org.com", but you're not blocking > that exact authentication name. > Viktor,
sorry, attempted to anonymize email addresses, BUT, overlooked the last two, only annoymized domains in the last two in the /etc/postfix/sasl_access names are correct, I've used both with and without domain V
