For qmail-1.03-3.3.5 and up (below link) defines how to set up /var/log/qmail/smtptx/current

This stops attempts of AUTH outside TLS

On 11/4/2022 1:57 AM, Peter Peltonen wrote:

I received a private reply that the correct logpath is /var/log/qmail/smtpt*/current so that should work.

Below are some stats from my server. In the end, I did not disable smpts, as there were a few users using the port and it seems to be a difficult task to change the port in Outlook (requires deleting and adding the account again). What I notice now after a few days (see stats below) following the logs is that there are a lot of failed attempts but only a few get banned because they come from different IPs. So it is very difficult if the attempts are initiated from a botnet with lots of IPs... What I could try to do, is to allow attempts based on IP geo location and then block the rest. Does anyone know if such a configuration could be done easily with some existing tool? Either at qmail or iptables level.

# ./f2bstat
Status for the jail: qmail-submission-passfail
|- Filter
|  |- Currently failed: 4
|  |- Total failed:     8
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     1
   `- Banned IP list:

Status for the jail: qmail-submission-usernotfound
|- Filter
|  |- Currently failed: 14
|  |- Total failed:     177
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 4
   |- Total banned:     4
   `- Banned IP list:

Status for the jail: qmail-smtps-passfail
|- Filter
|  |- Currently failed: 1276
|  |- Total failed:     3646
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 10
   |- Total banned:     27
   `- Banned IP list:

Status for the jail: qmail-smtps-usernotfound
|- Filter
|  |- Currently failed: 685
|  |- Total failed:     6302
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 11
   |- Total banned:     16
   `- Banned IP list:

On Wed, Nov 2, 2022 at 10:13 PM Peter Peltonen <> wrote:

    Thanks and yes, submission has been hacked also of course, but for
    some reason, I see the brute force attempts directed only against
    smtps (at least during the past days). As I don't use it, it's
    better to disable it as then I need only to monitor submission.
    Changing passwords has been of course done.

    When following the fail2ban instructions one command failed:

    # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`
    cp: target '2022' is not a directory

    Also in the qmail-smtp-authnotavail filter I see the following entry:

    logpath = /var/log/qmail/smtptx/current

    -> I don't have a such log file, is there a typo in the path?

    I had to disable that filter as fail2ban refuses to start with it.



    On Wed, Nov 2, 2022 at 5:27 AM Eric Broch
    <> wrote:

        And, the instruction on fail2ban should work fine. Submit
        questions to list.

        On 11/1/2022 8:38 PM, Remo Mattei wrote:
        I would change all the passwords.


        Mandato da iPhone

            On martedì, nov 01, 2022 at 14:44, Eric Broch
            <> wrote:
            # qmailctl stop

            # touch /var/qmail/supervise/smtps/log/down

            # touch /var/qmail/supervise/smtps/down

            # qmailctl start

            # qmailctl stat

            But, if they've hacked smtps then they've also hacked
            submission; right?

            On 11/1/2022 1:10 PM, Peter Peltonen wrote:

            I had an email account password guessed through auth
            attempts via smtps.

            I did not realize this as I had forgotten I had it
            enabled at all. I
            was looking at the submission log and scratching my head
            understanding how messages got to the remote queue
            without anything in
            the submission log, until I realized smpts was enabled
            and it was
            logging to /var/log/maillog and not to any log under

            My first question: is it safe to disable smtps, I guess
            I don't need
            it for anything as all my users should be using
            587/submission instead?

            Second question: How do I disable it? Should I just
            remove /var/qmail/supervise/smtps/run file? And/or block
            it at
            firewall level?

            Third question: to prevent brute force attacks, is
            fail2ban the best
            option to do it? I just follow the instructions at



            To unsubscribe, e-mail:
            For additional commands, e-mail:

Reply via email to