Re: Thousands of login attempts
On 20 Mar 2016, at 14:11, @lbutlr wrote: /etc/hosts.allow: ALL : 185.103.253.246 : DENY Has no effect. For /etc/hosts.{allow,deny} files to have any effect on network access to a program, the program must support the TCP Wrappers facility by linking to libwrap OR be wrapped by the tcpd access control facility. Postfix explicitly offers no such support (see the "COMPATIBILITY" file in the top level of the source distribution.)
Re: Thousands of login attempts
On 2016-03-20 16:46, Dimitar Katerinski wrote: @lbutlr wrote: /etc/hosts.allow: ALL : 185.103.253.246 : DENY Has no effect. hosts.allow and hosts.deny only work for programs that have been compiled with TCP wrapper support. Typically this is limited to telnet, ftp and inetd super daemon type services. I would suggest using your firewall utility to block this on tcp/ip level. If you are running Postfix under Linux the following iptables command should block this IP to accessing your smtp service on port 25: iptables - I INPUT -s 185.103.253.246 -p tcp --dport 25 -j DROP As someone already suggested - have a look at fail2ban. I second using the IP tables and fail2ban approach. Once properly configured, fail2ban can monitor the postfix / dovecot logs and automatically block offending IP addresses in the firewall rules after a preset number of failed login attempts. At first, I block the offending IP address after 3 failed attempts in a 1 hour period. I then permanently block any IP address that gets blocked 3 times in a 48 hour period. I use this on several mail systems I support and it has greatly reduced the number of failed login attempts. The only downside is at first, my user base sometimes locked themselves out. I have white listed the main IP addresses my clients use. After about 6 months, the users have become better about logging in, and I haven't had a lock out complaint since. Cheers, Dimitar --- Brett
Re: Thousands of login attempts
Am 21. März 2016 00:59:36 MEZ, schrieb "@lbutlr" : >On Sun Mar 20 2016 16:01:44 Christian Kivalo >said: >> One minor comment: I would not even offer AUTH on port 25. >>> >>> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail >>> submission have to be on port 587. >> >> You do. > >Oh, that is right, I forgot I had to enable that temporarily for >someone. I think temporarily has passed. > >Port 25 shouldn’t even allow STARTTLS, IIRC. I don't agree. Offering opportunistic TLS on port 25 gives the sending party the choice to use the encrypted channel. There is no harm in offering starttls on port 25. -- Christian
Re: Thousands of login attempts
On Sun Mar 20 2016 16:00:10 Sebastian Nielsensaid: > > I would instead suggest the opposite way around, use whitelisting instead. That doesn’t work. One of my most important customers travels all over the world and may be connecting from quite literally anywhere but North Korea. Setting the default action to drop, on the other hand, has worked. Nothing in the logs since 14:20. -- Indecision is the key to flexibility.
Re: Thousands of login attempts
On Sun Mar 20 2016 16:01:44 Christian Kivalo said: > >>> One minor comment: I would not even offer AUTH on port 25. >> >> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail >> submission have to be on port 587. > > You do. Oh, that is right, I forgot I had to enable that temporarily for someone. I think temporarily has passed. Port 25 shouldn’t even allow STARTTLS, IIRC. -- ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 'But I don't usually see you!'
Re: Thousands of login attempts
In message <0f3f9e7a-f0da-400a-b331-514a471b4...@valo.at> Christian Kivalo writes: > > >> One minor comment: I would not even offer AUTH on port 25. > > > >I don't. I offer opportunistic TLS on port 25 for SMTPd. All mail > >submission have to be on port 587. > > You do. > > valo@uschi:~ $ telnet mail.covisp.net 25 > Trying 65.121.55.42... > Connected to mail.covisp.net. > Escape character is '^]'. > 220-mail.covisp.net ESTMP -- Please wait > 220 mail.covisp.net ESMTP Postfix 3.0.3 > ehlo test.local.host > 250-mail.covisp.net > 250-PIPELINING > 250-SIZE 26214400 > 250-ETRN > 250-STARTTLS > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > quit > 221 2.0.0 Bye > Connection closed by foreign host. > > See the two lines offering auth on port 25. You should disable auth > on port 25. As in "smtpd_sasl_auth_enable = no". > -- > Christian Plain and login AUTH are particularly dangerous since they send passwords in the clear. See if you can find another method: http://cyrusimap.web.cmu.edu/sasl/authentication_mechanisms.html http://wiki.dovecot.org/Authentication/Mechanisms With AUTH PLAIN LOGIN and no TLS, anyone logging in over public WiFi (or non-switched ethernet, where such a thing still exists) is exposing their user ID and password to others snooping on the WiFi. That could be really bad for people who use the same password for everything (terrible practice but all too common). btw- Even with TLS, unless client certs are used anyone can connect and try brute force password guessing, which is what appears to be happenning. When presented with STARTTLS and no AUTH most attacks just go away and don't keep retrying. I suggest that if it won't break clients (if they can use TLS) use "smtpd_tls_security_level = yes" on port 587 (which implies "smtpd_tls_auth_only = yes"). Use "smtpd_sasl_auth_enable = no" on port 25 even if it means clients have to change configs. Plus set smtp_sasl_mechanism_filter to something more reasonable if it doesn't break clients to do so (and/or change mech_list in cyrus sasl conf). For example "smtpd_sasl_security_options = noanonymous, noplaintext". Client certs would be nice but a large number of client certs can be a headache to keep track of and hard to get into user's client MUAs. Filters limiting access to port 587 can then be applied a lot more strickly than filters on port 25 could be. Curtis
Re: Thousands of login attempts
>> One minor comment: I would not even offer AUTH on port 25. > >I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail >submission have to be on port 587. You do. valo@uschi:~ $ telnet mail.covisp.net 25 Trying 65.121.55.42... Connected to mail.covisp.net. Escape character is '^]'. 220-mail.covisp.net ESTMP -- Please wait 220 mail.covisp.net ESMTP Postfix 3.0.3 ehlo test.local.host 250-mail.covisp.net 250-PIPELINING 250-SIZE 26214400 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. See the two lines offering auth on port 25. You should disable auth on port 25. -- Christian
SV: Thousands of login attempts
I would instead suggest the opposite way around, use whitelisting instead. Whitelisting can be done in many ways: 1: You can either whitelist your customer's IP ranges. So if one customer has Telia in Sweden, you tell your firewall to allow 95.196.0.0/14. And so on for every customer/user. 2: You can geoIP. If you are only serving customers in specific regions, you can geoIP these as allowed in the firewall. 3: Or you can completely restrict authentication to only users inside the office, eg no outside access is allowed (and those that needs mail-from-home instead gets VPN access). All these methods will heavily cut down on all bruteforce. smime.p7s Description: S/MIME Cryptographic Signature
Re: Thousands of login attempts
@lbutlr wrote: /etc/hosts.allow: ALL : 185.103.253.246 : DENY Has no effect. I would suggest using your firewall utility to block this on tcp/ip level. If you are running Postfix under Linux the following iptables command should block this IP to accessing your smtp service on port 25: iptables - I INPUT -s 185.103.253.246 -p tcp --dport 25 -j DROP As someone already suggested - have a look at fail2ban. Cheers, Dimitar
Re: Thousands of login attempts
Put the ip in your firewall blacklist is what I did, then you dont even see them as they are blocked at the gate. I extracted all such addreses from my logs, sorted them unique, added them to the firewall blacklist. gone. I know there will always be others, but revenge is sweet . - From my iPhone. > On 20 Mar 2016, at 6:11 pm, @lbutlr wrote: > > I have many thousands of these over the last seven days: > > Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 > > They are all the exact same, including the UGF… portion. > > Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from > [185.103.253.246]:61153 to [65.121.55.45]:25 > Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD > [185.103.253.246]:61153 > Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from > unknown[185.103.253.246] > Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 > Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from > unknown[185.103.253.246] > Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from > unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 > > I mean, nothing is getting in, but there are thousands of these, 2000 > yesterday, and today there are over 3400 so far, and it’s barely even noon. > The first day there were 700, and it’s just ramped up since then. > > /etc/hosts.allow: > ALL : 185.103.253.246 : DENY > > Has no effect. > > -- > 'You make us want what we can't have and what you give us is worth > nothing and what you take is everything and all there is left for us is > the cold hillside, and emptiness, and the laughter of the elves.' >
Re: Thousands of login attempts
On Mar 20, 2016, at 1:46 PM, Wietse Venema wrote: > > @lbutlr: >> I mean, nothing is getting in, but there are thousands of these, 2000 = > > Then why do you care? They are using 1% of your CPU? I've been in the logs a lot the last few days, and having big these very few seconds has been a constant, albeit minor, annoyance. -- This is my signature. There are many like it, but this one is mine.
Re: Thousands of login attempts
On Sun, Mar 20, 2016 at 08:21:16PM +0100, wilfried.es...@essignetz.de wrote: > Did you try postscreen_blacklist_action > (http://www.postfix.org/postconf.5.html#postscreen_blacklist_action) > > Default is "ignore" Yes, and probably what the OP wants to set is "drop". If set as "enforce" you'll get the full dialog with postscreen and multiple lines logged. With "drop" it will be dropped in lieu of giving a banner. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: Thousands of login attempts
@lbutlr: > I mean, nothing is getting in, but there are thousands of these, 2000 = Then why do you care? They are using 1% of your CPU? Wietse
Re: Thousands of login attempts
Did you try postscreen_blacklist_action (http://www.postfix.org/postconf.5.html#postscreen_blacklist_action) Default is "ignore" Willi Am 20.03.2016 um 20:10 schrieb @lbutlr: > On Sun Mar 20 2016 12:59:08 @lbutlrsaid: >> >> Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED >> [185.103.253.246]:50804 > > Stopped postfix and removed the post screen_cache file and restarted postfix. > > Mar 20 13:03:59 mail postfix/postscreen[30633]: BLACKLISTED > [185.103.253.246]:51950 > Mar 20 13:03:59 mail postfix/dnsblog[30638]: addr 185.103.253.246 listed by > domain dnsbl-2.uceprotect.net as 127.0.0.2 > Mar 20 13:04:03 mail postfix/postscreen[30633]: PASS NEW > [185.103.253.246]:51950 > Mar 20 13:04:03 mail postfix/smtpd[30660]: connect from > unknown[185.103.253.246] > > And then > > Mar 20 13:04:35 mail postfix/smtpd[30660]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 > Mar 20 13:04:35 mail postfix/smtpd[30660]: lost connection after AUTH from > unknown[185.103.253.246] > Mar 20 13:04:35 mail postfix/smtpd[30660]: disconnect from > unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 > Mar 20 13:04:38 mail postfix/postscreen[30633]: CONNECT from > [185.103.253.246]:55822 to [65.121.55.42]:25 > Mar 20 13:04:38 mail postfix/postscreen[30633]: BLACKLISTED > [185.103.253.246]:55822 > Mar 20 13:04:38 mail postfix/postscreen[30633]: PASS OLD > [185.103.253.246]:55822 > Mar 20 13:04:48 mail postfix/smtpd[30702]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 > Mar 20 13:04:48 mail postfix/smtpd[30702]: lost connection after AUTH from > unknown[185.103.253.246] > Mar 20 13:04:48 mail postfix/smtpd[30702]: disconnect from > unknown[185.103.253.246] ehlo=1 auth=0/1 commands=½ > > So, no matter what I try to do, the IP comes back and is added to post > screen_cache and is handed off to smtpd. All I seem to have accomplished is > adding one more log line to the process that is currently hitting every 13-35 > seconds. > > $ postconf -d mail_version > mail_version = 3.0.3 >
Re: Thousands of login attempts
On Sun Mar 20 2016 12:59:08 @lbutlr said: > > Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED > [185.103.253.246]:50804 Stopped postfix and removed the post screen_cache file and restarted postfix. Mar 20 13:03:59 mail postfix/postscreen[30633]: BLACKLISTED [185.103.253.246]:51950 Mar 20 13:03:59 mail postfix/dnsblog[30638]: addr 185.103.253.246 listed by domain dnsbl-2.uceprotect.net as 127.0.0.2 Mar 20 13:04:03 mail postfix/postscreen[30633]: PASS NEW [185.103.253.246]:51950 Mar 20 13:04:03 mail postfix/smtpd[30660]: connect from unknown[185.103.253.246] And then Mar 20 13:04:35 mail postfix/smtpd[30660]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 20 13:04:35 mail postfix/smtpd[30660]: lost connection after AUTH from unknown[185.103.253.246] Mar 20 13:04:35 mail postfix/smtpd[30660]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 Mar 20 13:04:38 mail postfix/postscreen[30633]: CONNECT from [185.103.253.246]:55822 to [65.121.55.42]:25 Mar 20 13:04:38 mail postfix/postscreen[30633]: BLACKLISTED [185.103.253.246]:55822 Mar 20 13:04:38 mail postfix/postscreen[30633]: PASS OLD [185.103.253.246]:55822 Mar 20 13:04:48 mail postfix/smtpd[30702]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 20 13:04:48 mail postfix/smtpd[30702]: lost connection after AUTH from unknown[185.103.253.246] Mar 20 13:04:48 mail postfix/smtpd[30702]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=½ So, no matter what I try to do, the IP comes back and is added to post screen_cache and is handed off to smtpd. All I seem to have accomplished is adding one more log line to the process that is currently hitting every 13-35 seconds. $ postconf -d mail_version mail_version = 3.0.3 -- Try to realize it's all within yourself/No one else can make you change
Re: Thousands of login attempts
On Sun Mar 20 2016 12:47:32 @lbutlr <@lbutlr> said: > > But they still keep coming. > > $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1 > Sun Mar 20 12:43:33 MDT 2016 > Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 20 12:55:37 mail postfix/postscreen[29826]: CONNECT from [185.103.253.246]:50804 to [65.121.55.45]:25 Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED [185.103.253.246]:50804 Mar 20 12:55:37 mail postfix/postscreen[29826]: PASS OLD [185.103.253.246]:50804 Mar 20 12:55:37 mail postfix/smtpd[29832]: connect from unknown[185.103.253.246] Mar 20 12:55:47 mail postfix/smtpd[29832]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 20 12:55:47 mail postfix/smtpd[29832]: lost connection after AUTH from unknown[185.103.253.246] Mar 20 12:55:47 mail postfix/smtpd[29832]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 So, they show blacklist on postscreen, but still hit smtpd with he same message filling the logs. Sigh -- You only had to look into Teatime's mismatched eyes to know one thing, which was this: if Teatime wanted to find you he would not look everywhere. He'd look in only one place, which would be the place where you were hiding. --Hogfather
Re: Thousands of login attempts
On Sun Mar 20 2016 12:47:32 @lbutlr <@lbutlr> said: > > postscreen_access_cidr > 185.103.253.246 reject > > $ postmap -q 185.103.253.246 > cidr:/usr/local/etc/postfix/postscreen_access.cidr > reject > > But they still keep coming. > > $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1 > Sun Mar 20 12:43:33 MDT 2016 > Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 Oh, also $ postconf -n config_directory $ postconf -d config_directory config_directory = /usr/local/etc/postfix -- "I don't think the kind of friends I'd have would care."
Re: Thousands of login attempts
On Sun Mar 20 2016 12:23:00 /dev/rob0said: > > On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote: >> I have many thousands of these over the last seven days: >> >> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: >> unknown[185.103.253.246]: SASL LOGIN authentication failed: >> UGFzc3dvcmQ6 >> >> They are all the exact same, including the UGF… portion. >> >> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from >> [185.103.253.246]:61153 to [65.121.55.45]:25 >> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD >> [185.103.253.246]:61153 >> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from >> unknown[185.103.253.246] >> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: >> unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 >> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from >> unknown[185.103.253.246] >> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from >> unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 > > One minor comment: I would not even offer AUTH on port 25. I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail submission have to be on port 587. >> I mean, nothing is getting in, but there are thousands of these, >> 2000 yesterday, and today there are over 3400 so far, and it’s >> barely even noon. The first day there were 700, and it’s just >> ramped up since then. >> >> /etc/hosts.allow: >> ALL : 185.103.253.246 : DENY >> >> Has no effect. > > I'd suggest either blocking it in the firewall or adding to > postscreen_access_list ( postconf.5.html#postscreen_access_list ). Oh, yes, I completely forgot about that. postscreen_access_cidr 185.103.253.246 reject $ postmap -q 185.103.253.246 cidr:/usr/local/etc/postfix/postscreen_access.cidr reject But they still keep coming. $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1 Sun Mar 20 12:43:33 MDT 2016 Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 -- Don't ride in anything with a Capissen-38 engine, they fall right out of the sky
Re: Thousands of login attempts
Um, perhaps you should utilize some sort of DNS blacklist, which is what my setup here does. If not, then you might want to try relocating what you put into your /etc/hosts.allow file to your /etc/hosts.deny file. I would also recommend utilizing fail2ban -- http://theether.net/kb/100141 On Sunday, March 20, 2016 13:11 CDT, "@lbutlr" wrote: > I have many thousands of these over the last seven days: > > Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 > > They are all the exact same, including the UGF… portion. > > Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from > [185.103.253.246]:61153 to [65.121.55.45]:25 > Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD > [185.103.253.246]:61153 > Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from > unknown[185.103.253.246] > Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 > Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from > unknown[185.103.253.246] > Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from > unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 > > I mean, nothing is getting in, but there are thousands of these, 2000 > yesterday, and today there are over 3400 so far, and it’s barely even noon. > The first day there were 700, and it’s just ramped up since then. > > /etc/hosts.allow: >ALL : 185.103.253.246 : DENY > > Has no effect. > > -- > 'You make us want what we can't have and what you give us is worth > nothing and what you take is everything and all there is left for us is > the cold hillside, and emptiness, and the laughter of the elves.' >
Re: Thousands of login attempts
On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote: > I have many thousands of these over the last seven days: > > Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: > unknown[185.103.253.246]: SASL LOGIN authentication failed: > UGFzc3dvcmQ6 > > They are all the exact same, including the UGF… portion. > > Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from > [185.103.253.246]:61153 to [65.121.55.45]:25 > Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD > [185.103.253.246]:61153 > Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from > unknown[185.103.253.246] > Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: > SASL LOGIN authentication failed: UGFzc3dvcmQ6 > Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from > unknown[185.103.253.246] > Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from > unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 One minor comment: I would not even offer AUTH on port 25. > I mean, nothing is getting in, but there are thousands of these, > 2000 yesterday, and today there are over 3400 so far, and it’s > barely even noon. The first day there were 700, and it’s just > ramped up since then. > > /etc/hosts.allow: >ALL : 185.103.253.246 : DENY > > Has no effect. I'd suggest either blocking it in the firewall or adding to postscreen_access_list ( postconf.5.html#postscreen_access_list ). -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Thousands of login attempts
I have many thousands of these over the last seven days: Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 They are all the exact same, including the UGF… portion. Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25 Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153 Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246] Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246] Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2 I mean, nothing is getting in, but there are thousands of these, 2000 yesterday, and today there are over 3400 so far, and it’s barely even noon. The first day there were 700, and it’s just ramped up since then. /etc/hosts.allow: ALL : 185.103.253.246 : DENY Has no effect. -- 'You make us want what we can't have and what you give us is worth nothing and what you take is everything and all there is left for us is the cold hillside, and emptiness, and the laughter of the elves.'