On 19.02.22 12:43, Emmanuel BILLOT wrote:
We have SMTPS server with SASL auth fro posting messages from external
networks (internal xtoo). Since weeks we found a lot (very big) amount of
SASL LOGIN authentication failed: authentication failure
in our logs.
Client IPs are foreigns and not real client.
1 - is it a brut force attack ? Or a DDOS ?
it's the internet - dozens of IPs trying random logins/passwords all the
time.
2 - what postfix directive should we use to stop it ?
you can't stop it unless you disable the server and start requiring your
clients to log in via VPN.
We have listed all IPs. We can use a FW rule, but its heavy and hard to
manage. A Postfix list may be easier.
you can block these using fail2ban. it maintains IP addresses and
blocklists.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
