On 27 Jan 2020, at 8:08, Dominic Raferd wrote:
On Mon, 27 Jan 2020 at 12:36, Helmut Ritter <jumpe...@gmx.de> wrote:
Jan 27 13:02:37 h2786452 postfix-out/smtpd[8469]: disconnect from
unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3
Before I block with fail2ban, does auth=0/1 ALWAYS mean that s/o
tried
to use smtp without authentication?
I think it means that authentication was required (by your smtpd) and
was
not achieved by the client; not necessarily that they did not try
auth,
just that whether or not they tried it, they were not authenticated.
Nope.
It means that they attempted authentication 1 time but failed.
Sometimes I see auth=0/2 or auth=0/3.
Which means they tried 2 or 3 times.
I treat 'auth=0/' as a potential ban
event for my bespoke fail2ban jail.
Which is usually fine, IF you do not support authentication for the
smtpd instance. There's usually no need to support authentication on
port 25 if you have submission instances on ports 587 and/or 465, and if
"smtpd_sasl_auth_enable = no" there's no excuse for any SMTP client to
even try AUTH.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
