Robert Chalmers:
> Thanks, but I have no idea what you mean. Sorry.
auth=0/1 means that the client tried to login once with SASL and
succeeded zero times. That's how you detect if a client is trying
out passwords.
Wietse
>
> -----
> Robert Chalmers
> https://robert-chalmers.uk
> https://robert-chalmers.com
> @R_A_Chalmers
>
>
> > On 6 Jul 2020, at 4:07 pm, Wietse Venema <wie...@porcupine.org> wrote:
> >
> > ?Robert Chalmers (Author):
> >>
> >>
> >> Such as this one?
> >>
> >> Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from
> >> unknown[45.125.65.52] ehlo=1 auth=0/1 quit=1 commands=?
> >
> > Like Benny writes, you need to trigger on the auth=x/y part, not
> > the client hostname.
> >
> > Wietse
> >
> >> So I have anyway written this to find them
> >> sudo grep unknown /var/log/postfix.log | grep -E -o
> >> "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq > output.txt
> >>
> >> Take out my own network and localhost etc, and put them into pfct?s badguys
> >>
> >> works nicely.
> >>
> >> thanks
> >> robert
> >>
> >>
> >>
> >>>> On 6 Jul 2020, at 14:28, Wietse Venema <wie...@porcupine.org> wrote:
> >>>
> >>> auth=
> >>
> >>
