Postfix (or probably any SMTP server) logs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Postfix (or probably any SMTP server) logs

assp-test mailing list
Looking in my mail server's logs, I see a lot of entries similar to:

Jul 23 06:34:34 daisy assp/smtpd[20956]: connect from localhost[127.0.0.1]
Jul 23 06:34:38 daisy assp/smtpd[20956]: warning: localhost[127.0.0.1]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 23 06:34:38 daisy assp/smtpd[20956]: disconnect from
localhost[127.0.0.1] ehlo=2 starttls=1 auth=0/1 rset=1 noop=1 quit=1
commands=6/7

Those are failed hacking attempts.  What I'm noticing however is all
that my backend SMTP server sees is the IP address of ASSP (localhost).  
And the SASL LOGIN appears to be encrypted.

Is there something I can adjust to have the "true" external sender IP
and the attempt login name exposed in my mail server logs?

--
Daniel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix (or probably any SMTP server) logs

assp-test mailing list
>>> Is there something I can adjust to have the "true" external sender IP
>>> and the attempt login name exposed in my mail server logs?

I run fail2ban on the ASSP server and it drops the connections

Doug


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix (or probably any SMTP server) logs

assp-test mailing list
On 7/26/2017 11:25 AM, Doug Lytle via Assp-test wrote:
>>>> Is there something I can adjust to have the "true" external sender IP
>>>> and the attempt login name exposed in my mail server logs?
> I run fail2ban on the ASSP server and it drops the connections
>
That's actually where I'm going - I just wanted to see complete
information consistently in my logs.  If possible.

I think I partially solved my problem by turning off AUTH on port 25 -
as all my proper clients don't use that port.  So I can ignore the
localhost connect/disconnect entries in the Postfix logs...although I
still would like to see the "true" external IP.

Daniel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Loading...