Glenn English wrote:
Maybe someone is brute forcing your server's Postfix authenticated
SMTP service since Postfix can be configured to use Dovecot's SASL
authentication framework.
and for the suggestion -- I do have Postfix using Dovecot-Auth checking
for SASL.
I think I'm going to re-install and run Tripwire...
Tripwire? If the purpose of your query is to automate blocking of brute
forcers, this software is not what you want (which detects tampering of
critical system files).
I suggest trying to find where Postfix failed login reports go, then use
your fail2ban or what-have-you to detect and block hosts that repeatedly
fail authentication.
(First Google hit I did on this subject)
http://scottlinux.com/2011/05/26/prevent-postfix-brute-force/
The log entries might look like
{timestamp} {servername} postfix/smtpd[{pid}]: lost connection after
AUTH
from {remote-hostname}[{remote-ip}]
Joseph Tam <jtam.h...@gmail.com>
