On Tue, 2 Apr 2019 at 09:45, Esteban L <este...@little-beak.com> wrote:
> You will need to install fail2ban to ip block failed attempts. > > As you have correctly assumed, a malicious person is trying to hack into > you mail server. > > Fail2ban is a required application now and days. > > On April 2, 2019 8:57:06 AM GMT+02:00, James Brown <jlbr...@bordo.com.au> > wrote: >> >> Not sure if this is a Dovecot or Postfix issue we use Dovecot for >> authentication for Postfix. Mailboxes are stored in MySQL. >> >> Have noticed this today: >> >> auth-worker(42777): Info: sql(cont...@com.au,127.0.0.1): unknown user (given >> password: someone123) >> >> Also i...@com.au etc. >> >> They are coming through on port 465. >> >> Obviously my domain is not ‘com.au’ - how can I stop these attempts from >> even being considered? >> >> I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5. >> >> OP: since the attempts *are* being blocked by dovecot (via postfix) are you sure you need to do anything? Unless the attempts are putting your system under such load that it might fail to provide good service I think you should stop worrying. Alternatively if you can identify a unique pattern in the client names for these hack attempts that might provide another way to block them. BTW, where authentication is attempted for a real user but with a wrong password we regard it as helpful - we use the data to warn users about passwords that they might have used elsewhere but which have now escaped into bad hands. It has picked up several real world cases (where email/password data on external websites had evidently been hacked). (This strategy might not be appropriate for a third-party mail provider but it works for us.)
