Re: Thousands of login attempts

[Bill Cole]

On 20 Mar 2016, at 14:11, @lbutlr wrote:


/etc/hosts.allow:
   ALL : 185.103.253.246 : DENY

Has no effect.


For /etc/hosts.{allow,deny} files to have any effect on network access 
to a program, the program must support the TCP Wrappers facility by 
linking to libwrap OR be wrapped by the tcpd access control facility. 
Postfix explicitly offers no such support (see the "COMPATIBILITY" file 
in the top level of the source distribution.)

Re: Thousands of login attempts

[Brett]

On 2016-03-20 16:46, Dimitar Katerinski wrote:

@lbutlr wrote:

/etc/hosts.allow:
ALL : 185.103.253.246 : DENY

Has no effect.


hosts.allow and hosts.deny only work for programs that have been 
compiled with TCP wrapper support. Typically this is limited to telnet, 
ftp and inetd super daemon type services.





I would suggest using your firewall utility to block this on tcp/ip
level. If you are running Postfix under Linux
the following iptables command should block this IP to accessing your
smtp service on port 25:
iptables - I INPUT -s 185.103.253.246 -p tcp --dport 25 -j DROP

As someone already suggested - have a look at fail2ban.


I second using the IP tables and fail2ban approach. Once properly 
configured, fail2ban can monitor the postfix / dovecot logs and 
automatically block offending IP addresses in the firewall rules after a 
preset number of failed login attempts. At first, I block the offending 
IP address after 3 failed attempts in a 1 hour period. I then 
permanently block any IP address that gets blocked 3 times in a 48 hour 
period. I use this on several mail systems I support and it has greatly 
reduced the number of failed login attempts. The only downside is at 
first, my user base sometimes locked themselves out. I have white listed 
the main IP addresses my clients use. After about 6 months, the users 
have become better about logging in, and I haven't had a lock out 
complaint since.




Cheers,
Dimitar


---
Brett

Re: Thousands of login attempts

[Christian Kivalo]

Am 21. März 2016 00:59:36 MEZ, schrieb "@lbutlr" :
>On Sun Mar 20 2016 16:01:44 Christian Kivalo   
>said:
>> 
 One minor comment: I would not even offer AUTH on port 25.
>>> 
>>> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>>> submission have to be on port 587.
>> 
>> You do.
>
>Oh, that is right, I forgot I had to enable that temporarily for
>someone. I think temporarily has passed.
>
>Port 25 shouldn’t even allow STARTTLS, IIRC.
I don't agree. Offering opportunistic TLS on port 25 gives the sending party 
the choice to use the encrypted channel. There is no harm in offering starttls 
on port 25.

-- Christian

Re: Thousands of login attempts

[@lbutlr]

On Sun Mar 20 2016 16:00:10 Sebastian Nielsen    said:
> 
> I would instead suggest the opposite way around, use whitelisting instead.

That doesn’t work. One of my most important customers travels all over the 
world and may be connecting from quite literally anywhere but North Korea.

Setting the default action to drop, on the other hand, has worked. Nothing in 
the logs since 14:20.

-- 
Indecision is the key to flexibility.

Re: Thousands of login attempts

[@lbutlr]

On Sun Mar 20 2016 16:01:44 Christian Kivalo said:
> 
>>> One minor comment: I would not even offer AUTH on port 25.
>> 
>> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>> submission have to be on port 587.
> 
> You do.

Oh, that is right, I forgot I had to enable that temporarily for someone. I 
think temporarily has passed.

Port 25 shouldn’t even allow STARTTLS, IIRC.

-- 
ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 'But
I don't usually see you!'

Re: Thousands of login attempts

[Curtis Villamizar]

In message <0f3f9e7a-f0da-400a-b331-514a471b4...@valo.at>
Christian Kivalo writes:
> 
> >> One minor comment: I would not even offer AUTH on port 25.
> >
> >I don't. I offer opportunistic TLS on port 25 for SMTPd. All mail
> >submission have to be on port 587.
>  
> You do.
>  
> valo@uschi:~ $ telnet mail.covisp.net 25
> Trying 65.121.55.42...
> Connected to mail.covisp.net.
> Escape character is '^]'.
> 220-mail.covisp.net ESTMP -- Please wait
> 220 mail.covisp.net ESMTP Postfix 3.0.3
> ehlo test.local.host
> 250-mail.covisp.net
> 250-PIPELINING
> 250-SIZE 26214400
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
>  
> See the two lines offering auth on port 25. You should disable auth
> on port 25.

As in "smtpd_sasl_auth_enable = no".

> -- 
> Christian


Plain and login AUTH are particularly dangerous since they send
passwords in the clear.  See if you can find another method:
http://cyrusimap.web.cmu.edu/sasl/authentication_mechanisms.html
http://wiki.dovecot.org/Authentication/Mechanisms

With AUTH PLAIN LOGIN and no TLS, anyone logging in over public WiFi
(or non-switched ethernet, where such a thing still exists) is
exposing their user ID and password to others snooping on the WiFi.
That could be really bad for people who use the same password for
everything (terrible practice but all too common).

btw- Even with TLS, unless client certs are used anyone can connect
and try brute force password guessing, which is what appears to be
happenning.  When presented with STARTTLS and no AUTH most attacks
just go away and don't keep retrying.

I suggest that if it won't break clients (if they can use TLS) use
"smtpd_tls_security_level = yes" on port 587 (which implies
"smtpd_tls_auth_only = yes").  Use "smtpd_sasl_auth_enable = no" on
port 25 even if it means clients have to change configs.  Plus set
smtp_sasl_mechanism_filter to something more reasonable if it doesn't
break clients to do so (and/or change mech_list in cyrus sasl conf).
For example "smtpd_sasl_security_options = noanonymous, noplaintext".
Client certs would be nice but a large number of client certs can be a
headache to keep track of and hard to get into user's client MUAs.

Filters limiting access to port 587 can then be applied a lot more
strickly than filters on port 25 could be.

Curtis

Re: Thousands of login attempts

[Christian Kivalo]

>> One minor comment: I would not even offer AUTH on port 25.
>
>I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>submission have to be on port 587.

You do.

valo@uschi:~ $ telnet mail.covisp.net 25
Trying 65.121.55.42...
Connected to mail.covisp.net.
Escape character is '^]'.
220-mail.covisp.net ESTMP -- Please wait
220 mail.covisp.net ESMTP Postfix 3.0.3
ehlo test.local.host
250-mail.covisp.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

See the two lines offering auth on port 25. You should disable auth on port 25.

-- 
Christian

SV: Thousands of login attempts

[Sebastian Nielsen]

I would instead suggest the opposite way around, use whitelisting instead.

Whitelisting can be done in many ways:
1: You can either whitelist your customer's IP ranges. So if one customer has 
Telia in Sweden, you tell your firewall to allow 95.196.0.0/14.
And so on for every customer/user.

2: You can geoIP. If you are only serving customers in specific regions, you 
can geoIP these as allowed in the firewall.

3: Or you can completely restrict authentication to only users inside the 
office, eg no outside access is allowed (and those that needs mail-from-home 
instead gets VPN access).

All these methods will heavily cut down on all bruteforce.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Thousands of login attempts

[Dimitar Katerinski]

@lbutlr wrote:

/etc/hosts.allow:
ALL : 185.103.253.246 : DENY

Has no effect.

I would suggest using your firewall utility to block this on tcp/ip 
level. If you are running Postfix under Linux
the following iptables command should block this IP to accessing your 
smtp service on port 25:

iptables - I INPUT -s 185.103.253.246 -p tcp --dport 25 -j DROP

As someone already suggested - have a look at fail2ban.

Cheers,
Dimitar

Re: Thousands of login attempts

[Chalmers]

Put the ip in your firewall blacklist is what I did, then you dont even see 
them as they are blocked at the gate. I extracted all such addreses from my 
logs, sorted them unique, added them to the firewall blacklist. 
gone.
I know there will always be others, but revenge is sweet .


-
From my iPhone.


> On 20 Mar 2016, at 6:11 pm, @lbutlr  wrote:
> 
> I have many thousands of these over the last seven days:
> 
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6
> 
> They are all the exact same, including the UGF… portion.
> 
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from 
> [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD 
> [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from 
> unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from 
> unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from 
> unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
> 
> I mean, nothing is getting in, but there are thousands of these, 2000 
> yesterday, and today there are over 3400 so far, and it’s barely even noon. 
> The first day there were 700, and it’s just ramped up since then.
> 
> /etc/hosts.allow:
>   ALL : 185.103.253.246 : DENY
> 
> Has no effect.
> 
> -- 
> 'You make us want what we can't have and what you give us is worth
> nothing and what you take is everything and all there is left for us is
> the cold hillside, and emptiness, and the laughter of the elves.'
> 

Re: Thousands of login attempts

[@lbutlr]

On Mar 20, 2016, at 1:46 PM, Wietse Venema  wrote:
> 
> @lbutlr:
>> I mean, nothing is getting in, but there are thousands of these, 2000 =
> 
> Then why do you care? They are using 1% of your CPU?

I've been in the logs a lot the last few days, and having big these very few 
seconds has been a constant, albeit minor, annoyance. 

-- 
This is my signature. There are many like it, but this one is mine.

Re: Thousands of login attempts

[/dev/rob0]

On Sun, Mar 20, 2016 at 08:21:16PM +0100, wilfried.es...@essignetz.de wrote:
> Did you try postscreen_blacklist_action
> (http://www.postfix.org/postconf.5.html#postscreen_blacklist_action)
> 
> Default is "ignore"

Yes, and probably what the OP wants to set is "drop".  If set as 
"enforce" you'll get the full dialog with postscreen and multiple 
lines logged.  With "drop" it will be dropped in lieu of giving a 
banner.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Thousands of login attempts

[Wietse Venema]

@lbutlr:
> I mean, nothing is getting in, but there are thousands of these, 2000 =

Then why do you care? They are using 1% of your CPU?

Wietse

Re: Thousands of login attempts

[wilfried.es...@essignetz.de]

Did you try postscreen_blacklist_action
(http://www.postfix.org/postconf.5.html#postscreen_blacklist_action)

Default is "ignore"

Willi




Am 20.03.2016 um 20:10 schrieb @lbutlr:
> On Sun Mar 20 2016 12:59:08 @lbutlr    said:
>>
>> Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED 
>> [185.103.253.246]:50804
> 
> Stopped postfix and removed the post screen_cache file and restarted postfix.
> 
> Mar 20 13:03:59 mail postfix/postscreen[30633]: BLACKLISTED 
> [185.103.253.246]:51950
> Mar 20 13:03:59 mail postfix/dnsblog[30638]: addr 185.103.253.246 listed by 
> domain dnsbl-2.uceprotect.net as 127.0.0.2
> Mar 20 13:04:03 mail postfix/postscreen[30633]: PASS NEW 
> [185.103.253.246]:51950
> Mar 20 13:04:03 mail postfix/smtpd[30660]: connect from 
> unknown[185.103.253.246]
> 
> And then
> 
> Mar 20 13:04:35 mail postfix/smtpd[30660]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 13:04:35 mail postfix/smtpd[30660]: lost connection after AUTH from 
> unknown[185.103.253.246]
> Mar 20 13:04:35 mail postfix/smtpd[30660]: disconnect from 
> unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
> Mar 20 13:04:38 mail postfix/postscreen[30633]: CONNECT from 
> [185.103.253.246]:55822 to [65.121.55.42]:25
> Mar 20 13:04:38 mail postfix/postscreen[30633]: BLACKLISTED 
> [185.103.253.246]:55822
> Mar 20 13:04:38 mail postfix/postscreen[30633]: PASS OLD 
> [185.103.253.246]:55822
> Mar 20 13:04:48 mail postfix/smtpd[30702]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 13:04:48 mail postfix/smtpd[30702]: lost connection after AUTH from 
> unknown[185.103.253.246]
> Mar 20 13:04:48 mail postfix/smtpd[30702]: disconnect from 
> unknown[185.103.253.246] ehlo=1 auth=0/1 commands=½
> 
> So, no matter what I try to do, the IP comes back and is added to post 
> screen_cache and is handed off to smtpd. All I seem to have accomplished is 
> adding one more log line to the process that is currently hitting every 13-35 
> seconds.
> 
>  $ postconf -d mail_version
> mail_version = 3.0.3
> 

Re: Thousands of login attempts

[@lbutlr]

On Sun Mar 20 2016 12:59:08 @lbutlr  said:
> 
> Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED 
> [185.103.253.246]:50804

Stopped postfix and removed the post screen_cache file and restarted postfix.

Mar 20 13:03:59 mail postfix/postscreen[30633]: BLACKLISTED 
[185.103.253.246]:51950
Mar 20 13:03:59 mail postfix/dnsblog[30638]: addr 185.103.253.246 listed by 
domain dnsbl-2.uceprotect.net as 127.0.0.2
Mar 20 13:04:03 mail postfix/postscreen[30633]: PASS NEW [185.103.253.246]:51950
Mar 20 13:04:03 mail postfix/smtpd[30660]: connect from unknown[185.103.253.246]

And then

Mar 20 13:04:35 mail postfix/smtpd[30660]: warning: unknown[185.103.253.246]: 
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 13:04:35 mail postfix/smtpd[30660]: lost connection after AUTH from 
unknown[185.103.253.246]
Mar 20 13:04:35 mail postfix/smtpd[30660]: disconnect from 
unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
Mar 20 13:04:38 mail postfix/postscreen[30633]: CONNECT from 
[185.103.253.246]:55822 to [65.121.55.42]:25
Mar 20 13:04:38 mail postfix/postscreen[30633]: BLACKLISTED 
[185.103.253.246]:55822
Mar 20 13:04:38 mail postfix/postscreen[30633]: PASS OLD [185.103.253.246]:55822
Mar 20 13:04:48 mail postfix/smtpd[30702]: warning: unknown[185.103.253.246]: 
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 13:04:48 mail postfix/smtpd[30702]: lost connection after AUTH from 
unknown[185.103.253.246]
Mar 20 13:04:48 mail postfix/smtpd[30702]: disconnect from 
unknown[185.103.253.246] ehlo=1 auth=0/1 commands=½

So, no matter what I try to do, the IP comes back and is added to post 
screen_cache and is handed off to smtpd. All I seem to have accomplished is 
adding one more log line to the process that is currently hitting every 13-35 
seconds.

 $ postconf -d mail_version
mail_version = 3.0.3

-- 
Try to realize it's all within yourself/No one else can make you change

Re: Thousands of login attempts

[@lbutlr]

On Sun Mar 20 2016 12:47:32 @lbutlr <@lbutlr> said:
> 
> But they still keep coming.
> 
> $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
> Sun Mar 20 12:43:33 MDT 2016
> Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6

Mar 20 12:55:37 mail postfix/postscreen[29826]: CONNECT from 
[185.103.253.246]:50804 to [65.121.55.45]:25
Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED 
[185.103.253.246]:50804
Mar 20 12:55:37 mail postfix/postscreen[29826]: PASS OLD [185.103.253.246]:50804
Mar 20 12:55:37 mail postfix/smtpd[29832]: connect from unknown[185.103.253.246]
Mar 20 12:55:47 mail postfix/smtpd[29832]: warning: unknown[185.103.253.246]: 
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 12:55:47 mail postfix/smtpd[29832]: lost connection after AUTH from 
unknown[185.103.253.246]
Mar 20 12:55:47 mail postfix/smtpd[29832]: disconnect from 
unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2


So, they show blacklist on postscreen, but still hit smtpd with he same message 
filling the logs. Sigh



-- 
You only had to look into Teatime's mismatched eyes to know one thing,
which was this: if Teatime wanted to find you he would not look
everywhere. He'd look in only one place, which would be the place where
you were hiding. --Hogfather

Re: Thousands of login attempts

[@lbutlr]

On Sun Mar 20 2016 12:47:32 @lbutlr <@lbutlr> said:
> 
> postscreen_access_cidr
>   185.103.253.246 reject
> 
> $ postmap -q 185.103.253.246 
> cidr:/usr/local/etc/postfix/postscreen_access.cidr
> reject
> 
> But they still keep coming.
> 
> $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
> Sun Mar 20 12:43:33 MDT 2016
> Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6

Oh, also

 $ postconf -n config_directory
 $ postconf -d config_directory
config_directory = /usr/local/etc/postfix


-- 
"I don't think the kind of friends I'd have would care."

Re: Thousands of login attempts

[@lbutlr]

On Sun Mar 20 2016 12:23:00 /dev/rob0    said:
> 
> On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote:
>> I have many thousands of these over the last seven days:
>> 
>> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: 
>> unknown[185.103.253.246]: SASL LOGIN authentication failed: 
>> UGFzc3dvcmQ6
>> 
>> They are all the exact same, including the UGF… portion.
>> 
>> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from 
>> [185.103.253.246]:61153 to [65.121.55.45]:25
>> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD 
>> [185.103.253.246]:61153
>> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from 
>> unknown[185.103.253.246]
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: 
>> unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from 
>> unknown[185.103.253.246]
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from 
>> unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
> 
> One minor comment: I would not even offer AUTH on port 25.

I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail submission 
have to be on port 587.

>> I mean, nothing is getting in, but there are thousands of these, 
>> 2000 yesterday, and today there are over 3400 so far, and it’s 
>> barely even noon. The first day there were 700, and it’s just 
>> ramped up since then.
>> 
>> /etc/hosts.allow:
>>   ALL : 185.103.253.246 : DENY
>> 
>> Has no effect.
> 
> I'd suggest either blocking it in the firewall or adding to 
> postscreen_access_list ( postconf.5.html#postscreen_access_list ).

Oh, yes, I completely forgot about that.

postscreen_access_cidr
   185.103.253.246 reject

$ postmap -q 185.103.253.246 cidr:/usr/local/etc/postfix/postscreen_access.cidr
reject

But they still keep coming.

$ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
Sun Mar 20 12:43:33 MDT 2016
Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: 
SASL LOGIN authentication failed: UGFzc3dvcmQ6


-- 
Don't ride in anything with a Capissen-38 engine, they fall right out of
the sky

Re: Thousands of login attempts

[Wolfe , Robert]

Um, perhaps you should utilize some sort of DNS blacklist, which is what my 
setup here does.

If not, then you might want to try relocating what you put into your 
/etc/hosts.allow file to your /etc/hosts.deny file.

I would also recommend utilizing fail2ban -- http://theether.net/kb/100141


On Sunday, March 20, 2016 13:11 CDT, "@lbutlr"  wrote:

> I have many thousands of these over the last seven days:
>
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6
>
> They are all the exact same, including the UGF… portion.
>
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from 
> [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD 
> [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from 
> unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from 
> unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from 
> unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
>
> I mean, nothing is getting in, but there are thousands of these, 2000 
> yesterday, and today there are over 3400 so far, and it’s barely even noon. 
> The first day there were 700, and it’s just ramped up since then.
>
> /etc/hosts.allow:
>ALL : 185.103.253.246 : DENY
>
> Has no effect.
>
> --
> 'You make us want what we can't have and what you give us is worth
> nothing and what you take is everything and all there is left for us is
> the cold hillside, and emptiness, and the laughter of the elves.'
>

Re: Thousands of login attempts

[/dev/rob0]

On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote:
> I have many thousands of these over the last seven days:
> 
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: 
> unknown[185.103.253.246]: SASL LOGIN authentication failed: 
> UGFzc3dvcmQ6
> 
> They are all the exact same, including the UGF… portion.
> 
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from 
> [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD 
> [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from 
> unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: 
> SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from 
> unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from 
> unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2

One minor comment: I would not even offer AUTH on port 25.

> I mean, nothing is getting in, but there are thousands of these, 
> 2000 yesterday, and today there are over 3400 so far, and it’s 
> barely even noon. The first day there were 700, and it’s just 
> ramped up since then.
> 
> /etc/hosts.allow:
>ALL : 185.103.253.246 : DENY
> 
> Has no effect.

I'd suggest either blocking it in the firewall or adding to 
postscreen_access_list ( postconf.5.html#postscreen_access_list ).
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Thousands of login attempts

[@lbutlr]

I have many thousands of these over the last seven days:

Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: 
SASL LOGIN authentication failed: UGFzc3dvcmQ6

They are all the exact same, including the UGF… portion.

Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from 
[185.103.253.246]:61153 to [65.121.55.45]:25
Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: 
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from 
unknown[185.103.253.246]
Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from 
unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2

I mean, nothing is getting in, but there are thousands of these, 2000 
yesterday, and today there are over 3400 so far, and it’s barely even noon. The 
first day there were 700, and it’s just ramped up since then.

/etc/hosts.allow:
   ALL : 185.103.253.246 : DENY

Has no effect.

-- 
'You make us want what we can't have and what you give us is worth
nothing and what you take is everything and all there is left for us is
the cold hillside, and emptiness, and the laughter of the elves.'