Robert Chalmers (Author):
>
> I?m getting lots and lots of these types of login attempts;
>
> warning: unknown[45.125.65.52]: SASL LOGIN authentication failed:
> UGFzc3dvcmQ6 (postfix log)
> Info: pam(s...@robert-chalmers.uk,45.125.65.52): unknown user (given
> password: sale01) (dovecot log)
>
> and I?m wondering if there is someway - other than what I have - of blocking
> them, or automatically adding their IP to a <badhosts> list that I have for
> pfctl.
>
> Jul 06 06:46:03 www postfix/smtpd[3643]: watchdog_pat: 0x7ff1b472fdc0
> Jul 06 06:46:03 www postfix/smtpd[3643]: < unknown[45.125.65.52]: QUIT
> Jul 06 06:46:05 www postfix/smtpd[3643]: > unknown[45.125.65.52]: 221 2.0.0
> Bye
> Jul 06 06:46:05 www postfix/smtpd[3643]: match_hostname:
> smtpd_client_event_limit_exceptions: unknown ~? 151.225.136.134
> Jul 06 06:46:05 www postfix/smtpd[3643]: match_hostaddr:
> smtpd_client_event_limit_exceptions: 45.125.65.52 ~? 151.225.136.134
> Jul 06 06:46:05 www postfix/smtpd[3643]: match_hostname:
> smtpd_client_event_limit_exceptions: unknown ~? 94.1.23.155
> Jul 06 06:46:05 www postfix/smtpd[3643]: match_hostaddr:
> smtpd_client_event_limit_exceptions: 45.125.65.52 ~? 94.1.23.155
>
You missed the ONLY logfile record that can tell you they are
guessing passwords. Namely, the logfile record with
auth=number-of-successful-attempts/total-number-of-attempts
That record conveniently also contains the remote SMTP client IP
address. This is all you need for tools like fail2ban.
Wietse
