Hi, we are experiencing permanent high traffic from numerous sites trying to smtp auth to our postfix node, obviously trying to brute force password dictionaries against mail address lists probably taken from spam lists (including lots of oder message ids with the same syntax as mail addresses).
For some reason beyond the common noise we need to do some deeper analysis about who is trying which user account from where. Unfortunately, the required data, i.e. client IP address and username are distributed in different log files. The IP address is written to postfix's log, while the username is in saslauthd's log in case of failure, with the time stamp as the only link between both. Is there some best current practice or recommended log config to analyze persistent login attempts? (We are considering to limit smtp auth to the submission port 587 and have a blacklist for that in the firewall, but maintaining such a blacklist still requires to understand, who is attacking and how.) regards Hadmut