On Fri, 15 Nov 2019 at 05:26, Fourhundred Thecat <400the...@gmx.ch> wrote:
> On 15/11/2019 05.51, Viktor Dukhovni wrote: > > On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote: > > > >> I am wondering what is the purpose of connections like these: > >> > >> postfix/smtpd[5147]: connect from unknown[193.56.28.121] > >> postfix/smtpd[5147]: disconnect from unknown[193.56.28.121] ehlo=1 > auth=0/1 rset=1 quit=1 commands=3/4 > > > > They send EHLO, a failed AUTH attempt, then RSET and QUIT. > > > >> I have lots of these in my logs, from different IP addresses. > >> > >> What is the goal of these agents? > > > > They're testing for weak passwords, either a whitehat or blackhat > > scan SASL vulnerability scan. > > Thank you Viktor. Now it makes sense. > > Why don't I see in the logs, that auth was attempted and failed? > > Would I have to increase the verbosity to see that ? > If you want to block these types of attempts, you could use fail2ban with my jail postfix-failedauth: https://github.com/fail2ban/fail2ban/issues/2200
