On 11/21/2013 02:47 PM, Gman wrote:
In the fail2ban config I have this relevent section
# username-notfound
[username-notfound]
enabled = true
filter = *username-notfound*
action = iptables[name=SMTP, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime = 86400
findtime = 3600
From that I can figure a computer is sending to an invalid email
address on smtp port ( 25 ) so after 3 tries (maxretry = 3) the
firewall stops it ( iptables )
What logs should I be looking at to determine which computer is
causing this.
Thanks
You'd be looking in the /var/log/maillog file.
When I get hits for this the log entries look like:
Nov 6 08:40:41 qmt03 vpopmail[25604]: vchkpw-smtp: vpopmail user
not found clients@:77.226.244.40
To really know what to search for, you'll need to see the contents of
username-notfound.conf, probably located at
/etc/fail2ban/filter.d/username-notfound.conf.
There will be a line like this:
failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>
This shows you what Fail2Ban is hitting on and what you should be
looking for in the log.
I'm not sure, my users do not send outbound through my toasters so they
don't auth, and I only see these entries from outside IP addresses, but
it seems to me that this indicates that someone tried to auth before
sending and the system did not recognize the username, so maybe
something on your network is trying to use the wrong port to send?
Regards,
Brent Gardner
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com