Code:
grep "lost connection after AUTH" /var/log/* -R
here shows
20 hits in "current" log.
101 in zgrep output from Dec 1, 2016 to Jan 3, 2017
Quite "normal" IMO on
my network.
I use fail2ban to keep that in check.
The [sasl] jail in /etc/fail2ban/jail.conf shows
Code:
[sasl]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
I presume you know how to manage fail2ban to enable this jail.
Here's a test you can run, in advance to see if fail2ban is gonna catch hits using the enabled [sasl] jail.
Code:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf
"
disconnect from unknown" is when the rDNS isn't set on the remote host making the connection attempt,
or a temporary DNS failure to resolve the remote host.
Code:
host 43.227.99.202
Host 202.99.227.43.in-addr.arpa. not found: 3(NXDOMAIN)
is one from my recent logs.
My fail2ban sasl jail shows:
Code:
fail2ban-client status sasl
Status for the jail: sasl
|- filter
| |- File list: /var/log/zimbra.log
| |- Currently failed: 0
| `- Total failed: 457
`- action
|- Currently banned: 244
Good luck.