Dear folks, My logs are full of lines like this:
Feb 21 04:12:05 MYOLDMTA postfix/smtpd[12967]: warning: unknown[195.22.126.159]: SASL LOGIN authentication failed: authentication failure This is a brute force attack in order to get a valid username/password pair. The cracker usually does 20 attempts within a single SMTP session. Thought fail2ban alerts the firewall after the third or fourth one but network filtering applies to new connections only. (I would not filter _all_ incoming packets until it is absolutely necessary.) So the attacker may try any number of password quite unobtrusively. Is there any way to instruct smtpd to close session after 3 unsuccesful attempts as is written in RFC 4954? I found no appropriate config parameter. https://tools.ietf.org/html/rfc4954#section-9 Servers MAY implement a policy whereby the connection is dropped after a number of failed authentication attempts. If they do so, they SHOULD NOT drop the connection until at least 3 attempts to authenticate have failed. The affected Postfix version is 2.11.3, our old MTA. The new one is not found yet by the bad guys. Regards Gabor
