On 30/07/2021 18:05, Wietse Venema wrote:
Hadmut Danisch:
Hi,
we are experiencing permanent high traffic from numerous sites trying to
smtp auth to our postfix node, obviously trying to brute force password
dictionaries against mail address lists probably taken from spam lists
(including lots of oder message ids with the same syntax as mail
addresses).
For some reason beyond the common noise we need to do some deeper
analysis about who is trying which user account from where.
Unfortunately, the required data, i.e. client IP address and username
are distributed in different log files. The IP address is written to
postfix's log, while the username is in saslauthd's log in case of
failure, with the time stamp as the only link between both.
The Postfix 'disconnect' summary shows failed AUTH attempts without
the login name. Just block any SMTP client that has too many AUTH
failures, for example for 1 hour.
postfix/smtpd[xxx]: disconnect from unknown[x.x.x.x] auth=0/1 commands=0/1
Anything that has auth=0 is suspect. There may be more commands
in the 'disconnect' summary.
Recent versions of fail2ban pick up such entries using postfix jail,
mode = aggressive
