On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:
Its clear from the log, the attacker isn't even attemping to authenticate (0 attempts). The attacker hasn't propably not even realized he is connecting to a mail server.
No. There's a jumble there, but at least one is a lame "attack" of a sort. The only *Postfix* messages were:
Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from unknown[216.15.186.126] Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3
*THAT* client tried to authenticate and failed. It's a CBL-listed IP on a chronically abuse-friendly network.
The rest were all messages from Dovecot components, about failed SSL connections from a mix of IPs. Impossible to know what the reasons for those were without tracking down the person running the computer.
