Loading ...
Sorry, an error occurred while loading the content.

301314Re: How to detect AUTH before STARTTLS?

Expand Messages
  • Wietse Venema
    Jul 29, 2014
    • 0 Attachment
      Anders Wegge Keller:
      > My analysis is that the remote system is making a dictionary attack, to try
      > and see if it's possible to relay mail through my server that way.
      > Unfortunately (for the spammer), postfix is configured with
      > smtpd_tls_auth_only = yes, so the connection is rejected. However, mail.info
      > can grow rather large, so I would like to have a sure-fire trigger in the
      > log, that I can use to put an iptable block in place with fail2ban.
      >
      > So my question is: Is it possible to get a log entry for remote systems
      > that tries do AUTH without having issued STARTTLS first?

      No. If a command is disabled or unknown then Postfix does not log
      it. That could fill the logfile quickly.

      In the next release. There is a design to log the number of
      successful/total commands in an SMTP session.

      Your session would look like:

      disconnect from unknown[175.101.8.162] ehlo=1 auth=0/1 unknown=2

      Translation:

      ehlo=1 1 successful ehlo, 1 total ehlo,
      auth=0/1 0 successful auth, 1 total auth.
      unknown=2 2 unknown commands

      That would make failed AUTH commands easy to recognize, and
      in many cases help to diagnose trouble without having to
      turn on Postfix verbose logging.

      Wietse
    • Show all 3 messages in this topic