Robert Chalmers (Author): > > I?m getting lots and lots of these types of login attempts; > > warning: unknown[45.125.65.52]: SASL LOGIN authentication failed: > UGFzc3dvcmQ6 (postfix log) > Info: pam(s...@robert-chalmers.uk,45.125.65.52): unknown user (given > password: sale01) (dovecot log) > > and I?m wondering if there is someway - other than what I have - of blocking > them, or automatically adding their IP to a <badhosts> list that I have for > pfctl. > > Jul 06 06:46:03 www postfix/smtpd[3643]: watchdog_pat: 0x7ff1b472fdc0 > Jul 06 06:46:03 www postfix/smtpd[3643]: < unknown[45.125.65.52]: QUIT > Jul 06 06:46:05 www postfix/smtpd[3643]: > unknown[45.125.65.52]: 221 2.0.0 > Bye > Jul 06 06:46:05 www postfix/smtpd[3643]: match_hostname: > smtpd_client_event_limit_exceptions: unknown ~? 151.225.136.134 > Jul 06 06:46:05 www postfix/smtpd[3643]: match_hostaddr: > smtpd_client_event_limit_exceptions: 45.125.65.52 ~? 151.225.136.134 > Jul 06 06:46:05 www postfix/smtpd[3643]: match_hostname: > smtpd_client_event_limit_exceptions: unknown ~? 94.1.23.155 > Jul 06 06:46:05 www postfix/smtpd[3643]: match_hostaddr: > smtpd_client_event_limit_exceptions: 45.125.65.52 ~? 94.1.23.155 >
You missed the ONLY logfile record that can tell you they are guessing passwords. Namely, the logfile record with auth=number-of-successful-attempts/total-number-of-attempts That record conveniently also contains the remote SMTP client IP address. This is all you need for tools like fail2ban. Wietse