On 2020-04-30 17:52 BST, Keith wrote: > I'm coming back into Postfix after not really needing to dig into it > much the last few years and trying to catch up to some of the > changes. Last version I really used heavily was 2.x something.
Postscreen arrived since then so you should probably use it. See the POSTSCREEN_README. > I see a lot of these in the logs: > > Apr 30 01:51:42 mail1 postfix/smtpd[32690]: too many errors after AUTH from > unknown[103.125.191.93] > Apr 30 01:51:42 mail1 postfix/smtpd[32690]: disconnect from > unknown[103.125.191.93] ehlo=1 auth=0/1 commands=1/2 > > There are a lot of this in the log as bots etc try to AUTH on port 25. Is > there a way to turn this off or at > least not have it scattered in the logs? 99.9% of these have no hostname > associated with the IP. If they get through postscreen, try fail2ban? A pattern like this should catch them, postfix/smtpd\[[0-9]+\]: disconnect from [^[ ]+\[<HOST>\]( [a-z=0-9/ ]+)? auth=0/[1-9] HTH, -- Nick
