Hadmut Danisch:
> Hi,
>
> we are experiencing permanent high traffic from numerous sites trying to
> smtp auth to our postfix node, obviously trying to brute force password
> dictionaries against mail address lists probably taken from spam lists
> (including lots of oder message ids with the same syntax as mail
> addresses).
>
> For some reason beyond the common noise we need to do some deeper
> analysis about who is trying which user account from where.
>
> Unfortunately, the required data, i.e. client IP address and username
> are distributed in different log files. The IP address is written to
> postfix's log, while the username is in saslauthd's log in case of
> failure, with the time stamp as the only link between both.
The Postfix 'disconnect' summary shows failed AUTH attempts without
the login name. Just block any SMTP client that has too many AUTH
failures, for example for 1 hour.
postfix/smtpd[xxx]: disconnect from unknown[x.x.x.x] auth=0/1 commands=0/1
Anything that has auth=0 is suspect. There may be more commands
in the 'disconnect' summary.
> (We are considering to limit smtp auth to the submission port 587 and
Clients that need AUTH should not connect to the MTA (port 25) service.
Wietse
