On Mon, 27 Jan 2020 at 12:36, Helmut Ritter <jumpe...@gmx.de> wrote: > Jan 27 13:02:37 h2786452 postfix-out/smtpd[8469]: disconnect from > unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3 > > Before I block with fail2ban, does auth=0/1 ALWAYS mean that s/o tried > to use smtp without authentication? >
I think it means that authentication was required (by your smtpd) and was not achieved by the client; not necessarily that they did not try auth, just that whether or not they tried it, they were not authenticated. Sometimes I see auth=0/2 or auth=0/3. I treat 'auth=0/' as a potential ban event for my bespoke fail2ban jail.
