Anders Wegge Keller:
> My analysis is that the remote system is making a dictionary attack, to try
> and see if it's possible to relay mail through my server that way.
> Unfortunately (for the spammer), postfix is configured with
> smtpd_tls_auth_only = yes, so the connection is rejected. However, mail.info
> can grow rather large, so I would like to have a sure-fire trigger in the
> log, that I can use to put an iptable block in place with fail2ban.
>
> So my question is: Is it possible to get a log entry for remote systems
> that tries do AUTH without having issued STARTTLS first?
No. If a command is disabled or unknown then Postfix does not log
it. That could fill the logfile quickly.
In the next release. There is a design to log the number of
successful/total commands in an SMTP session.
Your session would look like:
disconnect from unknown[175.101.8.162] ehlo=1 auth=0/1 unknown=2
Translation:
ehlo=1 1 successful ehlo, 1 total ehlo,
auth=0/1 0 successful auth, 1 total auth.
unknown=2 2 unknown commands
That would make failed AUTH commands easy to recognize, and
in many cases help to diagnose trouble without having to
turn on Postfix verbose logging.
Wietse
