Thomas Keller:
> In my logs, I have thousands of:
>
> postfix/smtpd: connect from unknown [186.225.115.62]
> postfix/smtpd: disconnect from unknown [186.225.115.62]
>
> when I watch the traffic on port 25, I see that the client tried AUTH
> LOGIN and was rejected:
>
> 220 mail.<myserver>.com ESMTP
> HELO mail.<myserver>.com
> 250 mail.<myserver>.com
> AUTH LOGIN
> 503 5.5.1 Error: authentication not enabled
> QUIT
> 221 2.0.0 Bye
>
> but I don't see the failed AUTH LOGIN in my logs (neither mail.log, nor
> mail.err)
>
> I am using a custom script to block offending IPs (similar to fail2ban),
> but I cannot block these IPs when I don't see them in the logs.
>
> How can I make sure failed AUTH LOGIN is being logged ?
By design, Postfix will not log every unimplemented or invalid
command because that would make it more vulnerable to logfile
flooding attack. Instead, upgrade to Postfix 3.0 or later which
log a command summary at the end of a session. The numbers below
are (command name, number of times accepted, number of times issued).
Here's an example:
Aug 9 06:31:25 spike postfix/smtpd[92051]: disconnect from
unknown[bottet-ip-address-1] ehlo=1 auth=0/1 commands=1/2
Aug 9 06:31:26 spike postfix/smtpd[92053]: disconnect from
unknown[bottet-ip-address-1] ehlo=1 auth=0/1 commands=1/2
Aug 9 06:31:52 spike postfix/smtpd[92051]: disconnect from
unknown[bottet-ip-address-1] ehlo=1 auth=0/1 commands=1/2
The format of the logging makes these easy to find: just grep for 'auth=./' (the
'/' is present only when the command failed at least once).
Wietse
