Robert Chalmers (Author):
>
>
> Such as this one?
>
> Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from
> unknown[45.125.65.52] ehlo=1 auth=0/1 quit=1 commands=?
Like Benny writes, you need to trigger on the auth=x/y part, not
the client hostname.
Wietse
> So I have anyway written this to find them
> sudo grep unknown /var/log/postfix.log | grep -E -o
> "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq > output.txt
>
> Take out my own network and localhost etc, and put them into pfct?s badguys
>
> works nicely.
>
> thanks
> robert
>
>
>
> > On 6 Jul 2020, at 14:28, Wietse Venema <wie...@porcupine.org> wrote:
> >
> > auth=
>
>
