I've run scripts on my logs regarding login attempts. Typically they try "info@" since many websites have that account. (I don't.) They seem to "snow shoe" the attacks. Usually 3 guesses then they go away. The most I had was 5.
Considering the IP address could be shared with someone not hacking, I figured it was a waste of time to set up any intelligent blocking. (And those on this list know I am paranoid.) Note that sshguard can parse the postfix log. I do let it do that, but don't use the sshguard table to block mail ports. Again, you could be blocking someone innocent. (I certainly block 22). I figure anyone hacking mail would hack ssh. I suppose it wouldn't hurt to block submission with that table. Original Message From: Sean Greenslade Sent: Monday, November 14, 2016 8:40 PM To: vod vos Cc: postfix-users Subject: Re: Was the Dovecot working well? On Mon, Nov 14, 2016 at 08:21:24PM -0800, vod vos wrote: > so are there any configurations to auto ban this kind of visit, like postfix > postscreen? > > or, I should write firewall rules to do the job? I don't know if dovecot provides such functionality. I personally don't bother, since it quickly becomes a game of whack-a-mole. Plus, it's not always a malicious event. If the connection gets interrupted before the client sends its auth credentials, it looks the same as this type of scan. Basically, make sure users are using good, secure passwords, and make sure your software is all up to date. --Sean
