Dnia 9.09.2021 o godz. 16:10:31 Bill Cole pisze: > > Note this log line from the original message: > > >>>SepĀ 6 09:17:42 localhost postfix/smtpd[14622]: disconnect > >>>from unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 > >>>commands=3/4 > > That's an indicator of a failed "AUTH" command. I suppose that > *would* happen if the bot somehow sent an AUTH command without > providing any credentials but there's no indication logged by > Postfix of exactly how or why an AUTH command fails; Postfix doesn't > really know. Whatever SASL layer Postfix is using obviously must > know, but it is likely not to log it.
I have asked this already here, but nobody replied. Maybe I try again :) When and why was the logging regarding AUTH failures changed? Because in quite old version of Postfix I can clearly see the following in the logs: Sep 9 22:09:16 rafa postfix/smtpd[9969]: warning: static.148.188.201.195.clients.your-server.de[195.201.188.148]: SASL Login authentication failed: UGFzc3dvcmQ6 If you base64-decode "UGFzc3dvcmQ6" (I don't know why base64 however ;)), it translates to "Password:", so I understand that authentication failed at the stage of prompting for password. Of course, corresponding log line from Dovecot (which is the SASL authenticator) shows the username that was tried (interestingly, almost all these usernames don't exist at all on my server, there are very rare cases when I once in a few months or so see an attempt to login to username that actually exists). I also don't have the summary part "ehlo=xxx starttls=xxx ..." etc. in my disconnect message, the log line is just "disconnect from static.148.188.201.195.clients.your-server.de[195.201.188.148]". BTW. I don't use postscreen, if that matters. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
