AW: Knocking on the door

Sat, 18 May 2024 06:22:55 -0700 

Hello
Thanks for reply yes, i have put now this, I have peace now 😊

#cat postfix-addon.conf
[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/smtpd

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 
5\.2\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.6\.1 : Helo  
     command rejected: Host not found; to=<> from=<> bcc=<> Yproto=ESMTP helo= 
*$
        ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.4\.1 
.*$
        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.2 
:*$
        reject: RCPT from (.*)\[<HOST>\]: 550 5.2.1
        reject: RCPT from (.*)\[<HOST>\]: 450 4.6.1
        reject: RCPT from (.*)\[<HOST>\]: 554 5.4.1
        reject: RCPT from unknown\[<HOST>\]: 454 4.7.2
        connect from unknown\[<HOST>\]
ignoreregex =

--
you cannot fail unless you quit!

-----Ursprüngliche Nachricht-----
Von: Charles Curley <charlescur...@charlescurley.com> 
Gesendet: Freitag, 17. Mai 2024 18:45
An: Debian Users <debian-user@lists.debian.org>
Betreff: Re: Knocking on the door

On Fri, 17 May 2024 15:49:52 +0200
Maurizio Caloro <mauri...@caloro.ch> wrote:

> 
> Hello
> 
> 
> Please i know that this arn't the Dovecot forum, but let me try, on 
> the log's i have always knocking "unknown user" attempts.
> 
> 
> > May 15 22:39:31 Dovecot/auth-worker(2602036): Info: conn 
> > unix:auth-worker (pid=2602030,uid=113):
> > auth-worker<49>:sql(b...@domain.ch,194.169.175.10): unknown user

I only see one record here. fail2ban requires multiple attempts within a 
certain period before it will ban the source address. 


> 
> 
> yes i try with fail2ban, but i didn't see or found the right regex, so 
> that this will be blocked please has any from you solve this knocking 
> task?

Are you sure you want to worry about it? dovecot seems to be doing its job by 
refusing access to unknown users.

If you see repeated attempts from the same source, you might want to craft a 
firewall rule to ban that source (or than network).

Show us the files you have modified so we can see what you are doing.

> 
> 
> thanks
>
--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Reply via email to