On Wed, 1 Sep 2021, Leandro Santiago wrote:
Hey All,
Looks like my original mail from Hadmut got eaten by voracious
thread-cleaning. Sorry for the top post.
I use sendmail in my daily life, not postfix, but I have a ~100 line perl
script that basically:
Looks for:
Sep 1 06:51:42 prime
Hi Hadmut (and list :-)),
I've been part of a team working on an open source monitoring tool
specialized on Postfix called Lightmeter and one of the features we are
working at the moment are brute force attack analysis.
We are on early development stages of the feature, looking for feedback
* Hadmut Danisch:
> Unfortunately, we cannot simply turn off AUTH on port 25, since we
> have some unexperienced users [...] who would not simply understand
> what we are asking for and what to do, if we tell them to use the
> submission port.
You may find https://rseichter.github.io/automx2/
On Sun, Aug 01, 2021 at 04:51:36PM +1000, raf wrote:
> With only ports 25 and 465 open, the Mail app on an
> iphone will auto-configure itself to use port 25. It
> would use port 587/STARTTLS if that were open, but
> sadly, it ignores 465/TLS). The iphone can be coerced
> into connecting to port
On Sat, Jul 31, 2021 at 03:59:07PM +0200, Hadmut Danisch
wrote:
> On 30.07.21 23:09, Wietse Venema wrote:
> > This is not needed. Postfix 3.0 and later log the AUTH failure AND
> > the client IP address together:
> >
> > postfix/smtpd[xxx]: disconnect from unknown[x.x.x.x] auth=0/1
> >
Hadmut Danisch:
> Is there a way to make postfix tell in the logs whether someone
> authenticated on port 25 or 587?
Yes. Configure master.cf thusly:
master.cf:
smtp inet ...... ... ... ... smtpd
submission inet ...... ... ... ... smtpd
Hadmut Danisch:
>
> On 30.07.21 23:09, Wietse Venema wrote:
> > This is not needed. Postfix 3.0 and later log the AUTH failure AND
> > the client IP address together:
> >
> > postfix/smtpd[xxx]: disconnect from unknown[x.x.x.x] auth=0/1
> > commands=0/1
> >
> > This is logged even when AUTH
On 30.07.21 23:09, Wietse Venema wrote:
> This is not needed. Postfix 3.0 and later log the AUTH failure AND
> the client IP address together:
>
> postfix/smtpd[xxx]: disconnect from unknown[x.x.x.x] auth=0/1 commands=0/1
>
> This is logged even when AUTH is disabled (as it should be on port
On 30.07.21 23:26, Jaroslaw Rafa wrote:
> Well, maybe I'm using quite old versions of Postfix and Dovecot, but with
> default logging setup on Debian plus "auth_verbose=yes" in Dovecot config I
> get in /var/log/mail.log lines like:
Well, as I said, we're using postfix + saslauthd, and not
On 30.07.21 22:24, Aleksei Shpakovskii wrote:
> Hi,
>
> To answer the original Hadmut question: I believe that in order to log
> both postfix and saslauthd to the same file, you should configure both
> of them to use same logging backend (syslog), and configure that
> backend to save their logs
On Fri, Jul 30, 2021 at 04:49:31PM +0200, Hadmut Danisch
wrote:
> Hi,
>
> we are experiencing permanent high traffic from numerous sites trying to
> smtp auth to our postfix node, obviously trying to brute force password
> dictionaries against mail address lists probably taken from spam lists
Dnia 30.07.2021 o godz. 16:49:31 Hadmut Danisch pisze:
>
> Unfortunately, the required data, i.e. client IP address and username
> are distributed in different log files. The IP address is written to
> postfix's log, while the username is in saslauthd's log in case of
> failure, with the time
Aleksei Shpakovskii:
> Hi,
>
> To answer the original Hadmut question: I believe that in order to log both
> postfix and saslauthd to the same file, you should configure both of them
> to use same logging backend (syslog), and configure that backend to save
> their logs to the same place.
This
Hi,
To answer the original Hadmut question: I believe that in order to log both
postfix and saslauthd to the same file, you should configure both of them
to use same logging backend (syslog), and configure that backend to save
their logs to the same place.
However, depending on your server load:
On 30/07/2021 18:05, Wietse Venema wrote:
Hadmut Danisch:
Hi,
we are experiencing permanent high traffic from numerous sites trying to
smtp auth to our postfix node, obviously trying to brute force password
dictionaries against mail address lists probably taken from spam lists
(including lots
If dovecot is in play as auth backend then weakforced could be a viable option.
Quite a powerful tool tailored to fight/detect brute force attacks:
https://github.com/PowerDNS/weakforced
Am 30. Juli 2021 15:12:40 UTC schrieb post...@ptld.com:
>> Unfortunately, the required data, i.e. client IP
Hadmut Danisch:
> Hi,
>
> we are experiencing permanent high traffic from numerous sites trying to
> smtp auth to our postfix node, obviously trying to brute force password
> dictionaries against mail address lists probably taken from spam lists
> (including lots of oder message ids with the same
Unfortunately, the required data, i.e. client IP address and username
are distributed in different log files. The IP address is written to
postfix's log, while the username is in saslauthd's log in case of
failure, with the time stamp as the only link between both.
Is there some best current
On 2021-07-30 16:49, Hadmut Danisch wrote:
(We are considering to limit smtp auth to the submission port 587 and
have a blacklist for that in the firewall, but maintaining such a
blacklist still requires to understand, who is attacking and how.)
i did the reverse, whitelist trusted asn
Hi,
we are experiencing permanent high traffic from numerous sites trying to
smtp auth to our postfix node, obviously trying to brute force password
dictionaries against mail address lists probably taken from spam lists
(including lots of oder message ids with the same syntax as mail
addresses).
20 matches
Mail list logo
