Postfix mail.log - lots of "connect from unknown, lost connection after AUTH, and localhost too"

Is this normal when viewing /var/log/mail.log? These two are repeating a whole lot....

ISPconfig 3.1, Postfix 3.4.7, Dovecot 2.3.4.1

Code:

Dec  9 12:09:56 nyc postfix/smtpd[10113]: disconnect from unknown[185.234.216.87] ehlo=1 auth=0/1 commands=1/2
Dec  9 12:09:56 nyc postfix/smtpd[10113]: connect from unknown[185.234.216.87]
Dec  9 12:09:57 nyc postfix/smtpd[10113]: lost connection after AUTH from unknown[185.234.216.87]
Dec  9 12:09:57 nyc postfix/smtpd[10113]: disconnect from unknown[185.234.216.87] ehlo=1 auth=0/1 commands=1/2
Dec  9 12:09:57 nyc postfix/smtpd[10113]: connect from unknown[185.234.216.87]
Dec  9 12:09:57 nyc postfix/smtpd[10113]: lost connection after AUTH from unknown[185.234.216.87]
Dec  9 12:09:57 nyc postfix/smtpd[10113]: disconnect from unknown[185.234.216.87] ehlo=1 auth=0/1 commands=1/2
Dec  9 12:09:57 nyc postfix/smtpd[10113]: connect from unknown[185.234.216.87]
Dec  9 12:09:58 nyc postfix/smtpd[10113]: lost connection after AUTH from unknown[185.234.216.87]
Dec  9 12:09:58 nyc postfix/smtpd[10113]: disconnect from unknown[185.234.216.87] ehlo=1 auth=0/1 commands=1/2
Dec  9 12:09:58 nyc postfix/smtpd[10113]: connect from unknown[185.234.216.87]
Dec  9 12:09:58 nyc postfix/smtpd[10113]: lost connection after AUTH from unknown[185.234.216.87]
Dec  9 12:09:58 nyc postfix/smtpd[10113]: disconnect from unknown[185.234.216.87] ehlo=1 auth=0/1 commands=1/2
Dec  9 12:09:58 nyc postfix/smtpd[10113]: connect from unknown[185.234.216.87]
Dec  9 12:09:59 nyc postfix/smtpd[10113]: lost connection after AUTH from unknown[185.234.216.87]
Dec  9 12:09:59 nyc postfix/smtpd[10113]: disconnect from unknown[185.234.216.87] ehlo=1 auth=0/1 commands=1/2
Dec  9 12:09:59 nyc postfix/smtpd[10113]: connect from unknown[185.234.216.87]
Dec  9 12:09:59 nyc postfix/smtpd[10113]: lost connection after AUTH from unknown[185.234.216.87]
Dec  9 12:09:59 nyc postfix/smtpd[10113]: disconnect from unknown[185.234.216.87] ehlo=1 auth=0/1 commands=1/2
Dec  9 12:09:59 nyc postfix/smtpd[10113]: connect from unknown[185.234.216.87]

and

Code:

Dec  9 10:25:03 nyc dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<pp/m/0aZOs9/AAAB>
Dec  9 10:25:03 nyc dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Sh3n/0aZ8t5/AAAB>
Dec  9 10:28:23 nyc postfix/anvil[5979]: statistics: max connection rate 1/60s for (smtp:185.234.219.81) at Dec  9 10:24:02
Dec  9 10:28:23 nyc postfix/anvil[5979]: statistics: max connection count 1 for (smtp:185.234.219.81) at Dec  9 10:24:02
Dec  9 10:28:23 nyc postfix/anvil[5979]: statistics: max cache size 1 at Dec  9 10:24:02
Dec  9 10:30:02 nyc dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<CKO9EUeZSM9/AAAB>
Dec  9 10:30:03 nyc postfix/smtpd[6214]: connect from localhost[127.0.0.1]
Dec  9 10:30:03 nyc postfix/smtpd[6214]: lost connection after CONNECT from localhost[127.0.0.1]
Dec  9 10:30:03 nyc postfix/smtpd[6214]: disconnect from localhost[127.0.0.1] commands=0/0
Dec  9 10:30:03 nyc dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<iHjBEUeZAN9/AAAB>
Dec  9 10:30:52 nyc postfix/smtpd[6214]: connect from unknown[185.234.219.82]
Dec  9 10:30:53 nyc postfix/smtpd[6214]: lost connection after AUTH from unknown[185.234.219.82]
Dec  9 10:30:53 nyc postfix/smtpd[6214]: disconnect from unknown[185.234.219.82] ehlo=1 auth=0/1 commands=1/2
Dec  9 10:34:13 nyc postfix/anvil[6220]: statistics: max connection rate 1/60s for (smtp:185.234.219.82) at Dec  9 10:30:52
Dec  9 10:34:13 nyc postfix/anvil[6220]: statistics: max connection count 1 for (smtp:185.234.219.82) at Dec  9 10:30:52
Dec  9 10:34:13 nyc postfix/anvil[6220]: statistics: max cache size 1 at Dec  9 10:30:52
Dec  9 10:35:02 nyc dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<WlyfI0eZWM9/AAAB>
Dec  9 10:35:02 nyc dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<1iKgI0eZEN9/AAAB>
Dec  9 10:35:03 nyc postfix/smtpd[6344]: connect from localhost[127.0.0.1]
Dec  9 10:35:03 nyc postfix/smtpd[6344]: lost connection after CONNECT from localhost[127.0.0.1]
Dec  9 10:35:03 nyc postfix/smtpd[6344]: disconnect from localhost[127.0.0.1] commands=0/0
Dec  9 10:38:36 nyc postfix/smtpd[6395]: connect from unknown[185.234.219.81]
Dec  9 10:38:36 nyc postfix/smtpd[6395]: lost connection after AUTH from unknown[185.234.219.81]
Dec  9 10:38:36 nyc postfix/smtpd[6395]: disconnect from unknown[185.234.219.81] ehlo=1 auth=0/1 commands=1/2
Dec  9 10:40:03 nyc postfix/smtpd[6395]: connect from localhost[127.0.0.1]
Dec  9 10:40:03 nyc postfix/smtpd[6395]: lost connection after CONNECT from localhost[127.0.0.1]
Dec  9 10:40:04 nyc postfix/smtpd[6395]: disconnect from localhost[127.0.0.1] commands=0/0
Dec  9 10:40:04 nyc dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<TDCSNUeZZs9/AAAB>
Dec  9 10:40:04 nyc dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<VliSNUeZHt9/AAAB>
Dec  9 10:43:24 nyc postfix/anvil[6397]: statistics: max connection rate 1/60s for (smtp:185.234.219.81) at Dec  9 10:38:36
Dec  9 10:43:24 nyc postfix/anvil[6397]: statistics: max connection count 1 for (smtp:185.234.219.81) at Dec  9 10:38:36
Dec  9 10:43:24 nyc postfix/anvil[6397]: statistics: max cache size 1 at Dec  9 10:38:36
Dec  9 10:44:22 nyc postfix/smtpd[6688]: connect from unknown[185.234.219.82]
Dec  9 10:44:22 nyc postfix/smtpd[6688]: lost connection after AUTH from unknown[185.234.219.82]
Dec  9 10:44:22 nyc postfix/smtpd[6688]: disconnect from unknown[185.234.219.82] ehlo=1 auth=0/1 commands=1/2
Dec  9 10:45:02 nyc postfix/smtpd[6688]: connect from localhost[127.0.0.1]
Dec  9 10:45:02 nyc postfix/smtpd[6688]: lost connection after CONNECT from localhost[127.0.0.1]
Dec  9 10:45:02 nyc postfix/smtpd[6688]: disconnect from localhost[127.0.0.1] commands=0/0
Dec  9 10:45:03 nyc dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<BiBlR0eZds9/AAAB>
Dec  9 10:45:03 nyc dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<EzNmR0eZLt9/AAAB>
Dec  9 10:48:23 nyc postfix/anvil[6690]: statistics: max connection rate 1/60s for (smtp:185.234.219.82) at Dec  9 10:44:22
Dec  9 10:48:23 nyc postfix/anvil[6690]: statistics: max connection count 1 for (smtp:185.234.219.82) at Dec  9 10:44:22
Dec  9 10:48:23 nyc postfix/anvil[6690]: statistics: max cache size 1 at Dec  9 10:44:22
Dec  9 10:50:02 nyc dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<WL1EWUeZhs9/AAAB>
Dec  9 10:50:03 nyc dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<8OhFWUeZPt9/AAAB>
Dec  9 10:50:03 nyc postfix/smtpd[6880]: connect from localhost[127.0.0.1]
Dec  9 10:50:03 nyc postfix/smtpd[6880]: lost connection after CONNECT from localhost[127.0.0.1]
Dec  9 10:50:03 nyc postfix/smtpd[6880]: disconnect from localhost[127.0.0.1] commands=0/0
Dec  9 10:52:59 nyc postfix/smtpd[6916]: connect from unknown[185.234.219.81]
Dec  9 10:53:00 nyc postfix/smtpd[6916]: lost connection after AUTH from unknown[185.234.219.81]
Dec  9 10:53:00 nyc postfix/smtpd[6916]: disconnect from unknown[185.234.219.81] ehlo=1 auth=0/1 commands=1/2
Dec  9 10:55:03 nyc dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<tYUwa0eZls9/AAAB>
Dec  9 10:55:03 nyc dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<kGQya0eZTt9/AAAB>
Dec  9 10:55:03 nyc postfix/smtpd[7016]: connect from localhost[127.0.0.1]
Dec  9 10:55:03 nyc postfix/smtpd[7016]: lost connection after CONNECT from localhost[127.0.0.1]
Dec  9 10:55:03 nyc postfix/smtpd[7016]: disconnect from localhost[127.0.0.1] commands=0/0
Dec  9 10:56:20 nyc postfix/anvil[6921]: statistics: max connection rate 1/60s for (smtp:185.234.219.81) at Dec  9 10:52:59
Dec  9 10:56:20 nyc postfix/anvil[6921]: statistics: max connection count 1 for (smtp:185.234.219.81) at Dec  9 10:52:59
Dec  9 10:56:20 nyc postfix/anvil[6921]: statistics: max cache size 1 at Dec  9 10:52:59
Dec  9 10:57:47 nyc postfix/smtpd[7054]: connect from unknown[185.234.219.82]
Dec  9 10:57:48 nyc postfix/smtpd[7054]: lost connection after AUTH from unknown[185.234.219.82]
Dec  9 10:57:48 nyc postfix/smtpd[7054]: disconnect from unknown[185.234.219.82] ehlo=1 auth=0/1 commands=1/2
Dec  9 11:00:03 nyc dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<B6kNfUeZpM9/AAAB>

 

The newer versions of fail2ban (I'm using the one in the Debian 10 "Buster" repos) have far more options for postfix, including a "ddos" mode that checks specifically for those very log entries. The "aggressive" mode includes the "auth", "normal" and "ddos" modes, so I'd recommend trying the following:

In /etc/fail2ban/jail.local:
1. Comment out the entire [postfix-sasl] section (it's mode is included in the "aggressive" mode)
2. Add the following section:

Code:

[postfix-aggressive]
enabled  = true
filter   = postfix[mode=aggressive]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

Adjust "bantime" and "maxretry" to your tastes and needs. Pesonally, I like setting bantime to at least 24 hours and maxretry to 1 (I know all my users, so if any of them get locked out for some dumb reason, I know I'll hear from them pretty quickly )

Let me know if that works. I've just made that adjustment to the new server I'm setting up and haven't had an opportunity to find out how well it works yet.

Cheers
—Dan