On 9/9/2021 2:21 PM, J Doe wrote:
Sep 6 09:17:42 localhost postfix/smtpd[14622]: disconnect from unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4
In this case, is the botnet actually trying credentials ? It looks to me that it is establishing a TLS connection and then dropping it (or am I mistaken ?).
The part in the log about auth=0/1 means the client issued an AUTH command, 0 successful, 1 attempt. If no AUTH commands were issued, there would be no auth= logged.
So yes, the client is trying to AUTH. Your backend auth system should log the failed login attempts. -- Noel Jones
