On 15/11/2019 05.51, Viktor Dukhovni wrote: > On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote: > >> I am wondering what is the purpose of connections like these: >> >> postfix/smtpd[5147]: connect from unknown[193.56.28.121] >> postfix/smtpd[5147]: disconnect from unknown[193.56.28.121] ehlo=1 >> auth=0/1 rset=1 quit=1 commands=3/4 > > They send EHLO, a failed AUTH attempt, then RSET and QUIT. > >> I have lots of these in my logs, from different IP addresses. >> >> What is the goal of these agents? > > They're testing for weak passwords, either a whitehat or blackhat > scan SASL vulnerability scan.
Thank you Viktor. Now it makes sense. Why don't I see in the logs, that auth was attempted and failed? Would I have to increase the verbosity to see that ?
