Re: auth=0/1

Mon, 27 Jan 2020 11:43:25 -0800 

On 27 Jan 2020, at 14:27, @lbutlr wrote:
On 27 Jan 2020, at 06:42, Bill Cole <postfixlists-070...@billmail.scconsult.com> wrote: 
It means that they attempted authentication 1 time but failed.


Sometimes I see auth=0/2 or auth=0/3.


Which means they tried 2 or 3 times.


Hmm. I see blocks like these throughout my logs:
Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: connect from unknown[77.105.44.25] Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: lost connection after EHLO from unknown[77.105.44.25] Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: disconnect from unknown[77.105.44.25] ehlo=1 auth=0/1 commands=1/2 Jan 27 11:40:28 mail postfix/submit/smtpd[62764]: connect from unknown[77.105.44.25] Jan 27 11:40:29 mail postfix/submit/smtpd[62764]: lost connection after EHLO from unknown[77.105.44.25] Jan 27 11:40:29 mail postfix/submit/smtpd[62764]: disconnect from unknown[77.105.44.25] ehlo=1 auth=0/1 commands=1/2 

Etc. repeated many times.
Each trio of connect/lost connection/disconnect lines relates to one TCP session. The prober is connecting, sending an EHLO SMTP command (which succeeds because the hostname has a valid syntax,) an AUTH SMTP command which fails, and then a TCP RESET packet (or maybe a FIN) without the formally correct QUIT SMTP command. The 'disconnect' lines describe that behavior succinctly: ehlo=1 auth=0/1 commands=1/2
The only other lines related to these connection are, nearly universally:
Jan 27 11:46:19 mail postfix/anvil[54251]: statistics: max connection count 3 for (submission:77.105.44.25) at Jan 27 11:40:25 Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: warning: hostname 77-105-44-25.adsl-2.sezampro.rs does not resolve to address 77.105.44.25: hostname nor servname provided, or not known Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: warning: hostname 77-105-44-25.adsl-2.sezampro.rs does not resolve to address 77.105.44.25: hostname nor servname provided, or not known 

But the auth count never increases.
Right, because they are only trying to authenticate once per connection and dropping the connection. If they had tried to authenticate 2 times on the same connection, there would be one 'disconnect from' line with 'auth=0/2' 





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Reply via email to