Thomas Keller: > In my logs, I have thousands of: > > postfix/smtpd: connect from unknown [186.225.115.62] > postfix/smtpd: disconnect from unknown [186.225.115.62] > > when I watch the traffic on port 25, I see that the client tried AUTH > LOGIN and was rejected: > > 220 mail.<myserver>.com ESMTP > HELO mail.<myserver>.com > 250 mail.<myserver>.com > AUTH LOGIN > 503 5.5.1 Error: authentication not enabled > QUIT > 221 2.0.0 Bye > > but I don't see the failed AUTH LOGIN in my logs (neither mail.log, nor > mail.err) > > I am using a custom script to block offending IPs (similar to fail2ban), > but I cannot block these IPs when I don't see them in the logs. > > How can I make sure failed AUTH LOGIN is being logged ?
By design, Postfix will not log every unimplemented or invalid command because that would make it more vulnerable to logfile flooding attack. Instead, upgrade to Postfix 3.0 or later which log a command summary at the end of a session. The numbers below are (command name, number of times accepted, number of times issued). Here's an example: Aug 9 06:31:25 spike postfix/smtpd[92051]: disconnect from unknown[bottet-ip-address-1] ehlo=1 auth=0/1 commands=1/2 Aug 9 06:31:26 spike postfix/smtpd[92053]: disconnect from unknown[bottet-ip-address-1] ehlo=1 auth=0/1 commands=1/2 Aug 9 06:31:52 spike postfix/smtpd[92051]: disconnect from unknown[bottet-ip-address-1] ehlo=1 auth=0/1 commands=1/2 The format of the logging makes these easy to find: just grep for 'auth=./' (the '/' is present only when the command failed at least once). Wietse