On Fri, Jul 30, 2021 at 04:49:31PM +0200, Hadmut Danisch <had...@danisch.de> wrote:
> Hi, > > we are experiencing permanent high traffic from numerous sites trying to > smtp auth to our postfix node, obviously trying to brute force password > dictionaries against mail address lists probably taken from spam lists > (including lots of oder message ids with the same syntax as mail > addresses). > > For some reason beyond the common noise we need to do some deeper > analysis about who is trying which user account from where. > > Unfortunately, the required data, i.e. client IP address and username > are distributed in different log files. The IP address is written to > postfix's log, while the username is in saslauthd's log in case of > failure, with the time stamp as the only link between both. > > Is there some best current practice or recommended log config to analyze > persistent login attempts? > > (We are considering to limit smtp auth to the submission port 587 and > have a blacklist for that in the firewall, but maintaining such a > blacklist still requires to understand, who is attacking and how.) > > regards > Hadmut Would setting smtpd_client_auth_rate_limit in main.cf to a low number help? It's not the analysis of logs that you're asking for, but it sounds relevant. http://postfix.org/postconf.5.html#smtpd_client_auth_rate_limit cheers, raf