Anders Wegge Keller: > My analysis is that the remote system is making a dictionary attack, to try > and see if it's possible to relay mail through my server that way. > Unfortunately (for the spammer), postfix is configured with > smtpd_tls_auth_only = yes, so the connection is rejected. However, mail.info > can grow rather large, so I would like to have a sure-fire trigger in the > log, that I can use to put an iptable block in place with fail2ban. > > So my question is: Is it possible to get a log entry for remote systems > that tries do AUTH without having issued STARTTLS first?
No. If a command is disabled or unknown then Postfix does not log it. That could fill the logfile quickly. In the next release. There is a design to log the number of successful/total commands in an SMTP session. Your session would look like: disconnect from unknown[175.101.8.162] ehlo=1 auth=0/1 unknown=2 Translation: ehlo=1 1 successful ehlo, 1 total ehlo, auth=0/1 0 successful auth, 1 total auth. unknown=2 2 unknown commands That would make failed AUTH commands easy to recognize, and in many cases help to diagnose trouble without having to turn on Postfix verbose logging. Wietse