On Sat, 21 Sep 2019 at 01:21, Wietse Venema <wie...@porcupine.org> wrote: > > Benny Pedersen: > > Daniel Miller skrev den 2019-09-20 23:12: > > > > > I'm seeing some higher levels of attempted logins from various > > > sources. Are there any automated filters that are suggested? Or do I > > > simply add a check_client_a_access and reference a manually maintained > > > blacklist? > > > > grep 'after AUTH' maillog > > > > make this list as check client access on custommer ports, not port 25 > > > > i block big abusers with static firewalling > > > > just not port 25 > > > > i see after AUTH on port 25, unsure what to do ? > > > > maybe postscreen can do samme with that as pregreet ? > > Postscreen does not inspect every connection. That is a feature, > not a bug. It's perfectly OK to fail2ban a client that makes too > many mistakes while talking to an smtpd process. > > Wietse
I use fail2ban with dovecot jail and a custom 'postfix-auth' jail (see https://github.com/fail2ban/fail2ban/issues/2200), both of which block a lot of repeated auth attempts. I also harvest attempted passwords and relay them (filtered) to the relevant users.