Dnia 14.11.2019 o godz. 23:51:05 Viktor Dukhovni pisze: > > I am wondering what is the purpose of connections like these: > > > > postfix/smtpd[5147]: connect from unknown[193.56.28.121] > > postfix/smtpd[5147]: disconnect from unknown[193.56.28.121] ehlo=1 > > auth=0/1 rset=1 quit=1 commands=3/4 > > They send EHLO, a failed AUTH attempt, then RSET and QUIT.
Is this some new style of logging failed AUTH attempts? In my case, these attempts look like this (I haven't changed any logging config, left everything at default): Nov 15 09:22:33 rafa postfix/smtpd[18954]: connect from unknown[222.103.192.93] Nov 15 09:22:37 rafa dovecot: auth-worker(18956): pam(xxxx@yyyy,222.103.192.93): pam_authenticate() failed: Authentication failure (password mismatch?) Nov 15 09:22:39 rafa postfix/smtpd[18954]: warning: unknown[222.103.192.93]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Nov 15 09:22:39 rafa postfix/smtpd[18954]: disconnect from unknown[222.103.192.93] Of course in place of "xxxx@yyyy" there was a real e-mail address that the attacker tried to authenticate with. Note not only the clear message from smtpd about failed authentication, but also a message from Dovecot authenticator that says the same. By the way: I'm just curious, what does the string "UGFzc3dvcmQ6" in the failed authentication message mean? I get it with every such attempt. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
