BRUTE FORCE attack?

we have a lot of probelms with mail, and finally, we rebuild a new server. and we begin to work with it this monday (2 days ago)
but we still have problems with mail, and today i tink to read mail.log, and when i acces to var folder, i find a huge file ( split in 2 parts, mail.log and mail.log.1) , size of 10 Mb and 2 Mb , and when i read it i found entries every FIVE seconds!!
like this

Apr 8 17:40:02 mnsvr postfix/smtpd[20610]: lost connection after CONNECT from localhost[::1]
Apr 8 17:40:02 mnsvr postfix/smtpd[20610]: disconnect from localhost[::1] commands=0/0
Apr 8 17:40:02 mnsvr dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<vdNEUMmiAOkAAAAAAAAAAAAAAAAAAAAB>
Apr 8 17:40:02 mnsvr dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<l+REUMmiNtAAAAAAAAAAAAAAAAAAAAAB>
Apr 8 17:40:11 mnsvr postfix/smtpd[20212]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
Apr 8 17:40:11 mnsvr postfix/smtpd[20212]: connect from unknown[92.118.38.82]
Apr 8 17:40:14 mnsvr postfix/smtpd[18461]: connect from unknown[45.142.195.2]
Apr 8 17:40:22 mnsvr postfix/smtpd[18461]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:40:22 mnsvr postfix/smtpd[20212]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:40:22 mnsvr postfix/smtpd[20212]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:40:22 mnsvr postfix/smtpd[18461]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:40:36 mnsvr postfix/smtpd[20610]: connect from unknown[185.234.218.246]
Apr 8 17:40:38 mnsvr postfix/smtpd[20610]: warning: unknown[185.234.218.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:40:38 mnsvr postfix/smtpd[20610]: disconnect from unknown[185.234.218.246] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 8 17:40:45 mnsvr postfix/smtpd[18461]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
Apr 8 17:40:45 mnsvr postfix/smtpd[18461]: connect from unknown[92.118.38.82]
Apr 8 17:40:56 mnsvr postfix/smtpd[18461]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:40:56 mnsvr postfix/smtpd[18461]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:41:05 mnsvr postfix/smtpd[20212]: connect from unknown[45.142.195.2]
Apr 8 17:41:13 mnsvr postfix/smtpd[20212]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:41:13 mnsvr postfix/smtpd[20212]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:41:19 mnsvr postfix/smtpd[18461]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
Apr 8 17:41:19 mnsvr postfix/smtpd[18461]: connect from unknown[92.118.38.82]
Apr 8 17:41:30 mnsvr postfix/smtpd[18461]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:41:32 mnsvr postfix/smtpd[18461]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:41:52 mnsvr postfix/smtpd[20610]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
Apr 8 17:41:52 mnsvr postfix/smtpd[20610]: connect from unknown[92.118.38.82]
Apr 8 17:41:56 mnsvr postfix/smtpd[20212]: connect from unknown[45.142.195.2]
Apr 8 17:42:03 mnsvr postfix/smtpd[20610]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:42:03 mnsvr postfix/smtpd[20610]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:42:04 mnsvr postfix/smtpd[20212]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:42:05 mnsvr postfix/smtpd[20212]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:42:26 mnsvr postfix/smtpd[18461]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
Apr 8 17:42:26 mnsvr postfix/smtpd[18461]: connect from unknown[92.118.38.82]
Apr 8 17:42:37 mnsvr postfix/smtpd[18461]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:42:37 mnsvr postfix/smtpd[18461]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:42:47 mnsvr postfix/smtpd[20610]: connect from unknown[45.142.195.2]
Apr 8 17:42:55 mnsvr postfix/smtpd[20610]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:42:55 mnsvr postfix/smtpd[20610]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 8 17:43:00 mnsvr postfix/smtpd[20212]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
Apr 8 17:43:00 mnsvr postfix/smtpd[20212]: connect from unknown[92.118.38.82]
Apr 8 17:43:11 mnsvr postfix/smtpd[20212]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 17:43:11 mnsvr postfix/smtpd[20212]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

what can a do????
is it a try to hack me ?
how can i block it?
tx in advance

 

have you got failed2ban installed?

 

yes, i followed perfect server guide. i check, it´s work ( systemctl status fail2ban.service give OK). can you tell me how to read ( understand) entries of mail.log?
tx in advance

 

ok till, but this is my first time with fail2ban.log

2020-04-08 21:27:10,172 fail2ban.filter [931]: INFO [sshd] Found 114.67.95.121 - 2020-04-08 21:27:10
2020-04-08 21:27:12,878 fail2ban.filter [931]: INFO [sshd] Found 114.67.95.121 - 2020-04-08 21:27:12
2020-04-08 21:27:19,018 fail2ban.filter [931]: INFO [sshd] Found 157.230.230.152 - 2020-04-08 21:27:18
2020-04-08 21:27:19,019 fail2ban.filter [931]: INFO [sshd] Found 157.230.230.152 - 2020-04-08 21:27:18
2020-04-08 21:27:19,640 fail2ban.actions [931]: NOTICE [sshd] Ban 157.230.230.152
2020-04-08 21:27:20,625 fail2ban.filter [931]: INFO [sshd] Found 157.230.230.152 - 2020-04-08 21:27:20
2020-04-08 21:27:40,348 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:27:40
2020-04-08 21:27:40,352 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:27:40
2020-04-08 21:27:42,104 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:27:42
2020-04-08 21:28:19,751 fail2ban.actions [931]: NOTICE [sshd] Unban 139.217.96.76
2020-04-08 21:28:57,687 fail2ban.filter [931]: INFO [sshd] Found 103.16.202.174 - 2020-04-08 21:28:57
2020-04-08 21:28:57,689 fail2ban.filter [931]: INFO [sshd] Found 103.16.202.174 - 2020-04-08 21:28:57
2020-04-08 21:29:00,396 fail2ban.filter [931]: INFO [sshd] Found 103.16.202.174 - 2020-04-08 21:28:59
2020-04-08 21:29:23,868 fail2ban.actions [931]: NOTICE [sshd] Unban 123.143.3.45
2020-04-08 21:29:38,867 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:29:38
2020-04-08 21:29:38,869 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:29:38
2020-04-08 21:29:38,898 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:29:38
2020-04-08 21:29:38,901 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:29:38
2020-04-08 21:29:40,506 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:29:40
2020-04-08 21:29:40,854 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:29:40
2020-04-08 21:30:04,446 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:30:04
2020-04-08 21:30:04,449 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:30:04
2020-04-08 21:30:07,155 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:30:06
2020-04-08 21:30:10,693 fail2ban.filter [931]: INFO [sshd] Found 106.13.49.213 - 2020-04-08 21:30:10
2020-04-08 21:30:10,696 fail2ban.filter [931]: INFO [sshd] Found 106.13.49.213 - 2020-04-08 21:30:10
2020-04-08 21:30:10,704 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:30:10
2020-04-08 21:30:10,708 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:30:10
2020-04-08 21:30:11,155 fail2ban.actions [931]: NOTICE [sshd] Ban 106.13.49.213
2020-04-08 21:30:13,415 fail2ban.filter [931]: INFO [sshd] Found 106.13.49.213 - 2020-04-08 21:30:13
2020-04-08 21:30:13,416 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:30:13
2020-04-08 21:31:51,002 fail2ban.filter [931]: INFO [sshd] Found 106.54.40.11 - 2020-04-08 21:31:51
2020-04-08 21:31:51,006 fail2ban.filter [931]: INFO [sshd] Found 106.54.40.11 - 2020-04-08 21:31:51
2020-04-08 21:31:53,712 fail2ban.filter [931]: INFO [sshd] Found 106.54.40.11 - 2020-04-08 21:31:53
2020-04-08 21:32:15,756 fail2ban.filter [931]: INFO [sshd] Found 104.236.226.93 - 2020-04-08 21:32:15
2020-04-08 21:32:15,759 fail2ban.filter [931]: INFO [sshd] Found 104.236.226.93 - 2020-04-08 21:32:15
2020-04-08 21:32:18,465 fail2ban.filter [931]: INFO [sshd] Found 104.236.226.93 - 2020-04-08 21:32:17
2020-04-08 21:32:30,974 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:32:30
2020-04-08 21:32:30,977 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:32:30
2020-04-08 21:32:31,394 fail2ban.actions [931]: NOTICE [sshd] Ban 106.13.139.111
2020-04-08 21:32:32,875 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:32:32
2020-04-08 21:32:52,287 fail2ban.filter [931]: INFO [sshd] Found 118.25.107.82 - 2020-04-08 21:32:52
2020-04-08 21:32:54,993 fail2ban.filter [931]: INFO [sshd] Found 118.25.107.82 - 2020-04-08 21:32:54
2020-04-08 21:33:03,461 fail2ban.actions [931]: NOTICE [sshd] Unban 183.63.172.108
2020-04-08 21:33:41,603 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:33:41
2020-04-08 21:33:41,609 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:33:41
2020-04-08 21:33:43,585 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:33:43
2020-04-08 21:34:07,887 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:34:07
2020-04-08 21:34:07,889 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:34:07
2020-04-08 21:34:08,180 fail2ban.actions [931]: NOTICE [sshd] Ban 139.217.96.76
2020-04-08 21:34:09,495 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:34:09
2020-04-08 21:34:13,571 fail2ban.filter [931]: INFO [sshd] Found 114.67.95.121 - 2020-04-08 21:34:13
2020-04-08 21:34:15,607 fail2ban.filter [931]: INFO [sshd] Found 114.67.95.121 - 2020-04-08 21:34:15
2020-04-08 21:34:16,207 fail2ban.actions [931]: NOTICE [sshd] Ban 114.67.95.121
2020-04-08 21:34:23,952 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:34:23
2020-04-08 21:34:25,992 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:34:25
2020-04-08 21:34:28,499 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:34:28
2020-04-08 21:34:28,502 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:34:28
2020-04-08 21:34:28,841 fail2ban.actions [931]: NOTICE [sshd] Ban 220.76.205.178
2020-04-08 21:34:30,601 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:34:30
2020-04-08 21:35:40,173 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:35:39
2020-04-08 21:35:40,174 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:35:39
2020-04-08 21:35:40,973 fail2ban.actions [931]: NOTICE [sshd] Ban 123.143.3.45
2020-04-08 21:35:41,780 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:35:41
2020-04-08 21:36:08,758 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:36:08
2020-04-08 21:36:08,761 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:36:08
2020-04-08 21:36:09,025 fail2ban.actions [931]: NOTICE [sshd] Ban 139.217.227.32
2020-04-08 21:36:11,469 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:36:10
2020-04-08 21:36:59,120 fail2ban.actions [931]: NOTICE [sshd] Unban 129.28.165.178
2020-04-08 21:37:01,139 fail2ban.actions [931]: NOTICE [sshd] Unban 106.54.139.117
2020-04-08 21:37:19,182 fail2ban.actions [931]: NOTICE [sshd] Unban 157.230.230.152
2020-04-08 21:37:23,381 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:37:22
2020-04-08 21:37:23,383 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:37:22
2020-04-08 21:37:25,169 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:37:25
2020-04-08 21:37:35,782 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:37:35
2020-04-08 21:37:35,783 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:37:35
2020-04-08 21:37:37,884 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:37:37
2020-04-08 21:37:38,427 fail2ban.actions [931]: NOTICE [sshd] Ban 183.63.172.108
2020-04-08 21:37:38,863 fail2ban.filter [931]: INFO [sshd] Found 129.28.165.178 - 2020-04-08 21:37:38
2020-04-08 21:37:38,864 fail2ban.filter [931]: INFO [sshd] Found 129.28.165.178 - 2020-04-08 21:37:38
2020-04-08 21:37:40,606 fail2ban.filter [931]: INFO [sshd] Found 129.28.165.178 - 2020-04-08 21:37:40
2020-04-08 21:38:56,385 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:38:56
2020-04-08 21:38:56,387 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:38:56
2020-04-08 21:38:58,274 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:38:58
2020-04-08 21:39:08,959 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:39:08
2020-04-08 21:39:08,963 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:39:08
2020-04-08 21:39:09,188 fail2ban.actions [931]: NOTICE [sshd] Ban 106.54.139.117
2020-04-08 21:39:10,832 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:39:10
2020-04-08 21:40:11,303 fail2ban.actions [931]: NOTICE [sshd] Unban 106.13.49.213

whats is the mean of "unban" lines??

 

In the standard settings the ban time is quite short. (If you have a lot of users and they have a problem with their client, you don't want to ban them too long). If you know your users and they have correctly set up their clients, then you could increase the ban time. For example, for SSH I block for a week after 2nd try (all users use keyfiles) and for mail 2 days. If a user has a problem I know they call me and I could unban them manually. But that depends on your setup / usage of the server.

For global settings see: /etc/fail2ban/jail.conf
Do your changes in: /etc/fail2ban/jail.local
For example:

Code:

[postfix-sasl]
enabled  = true
port     = smtp,ssmtp,submission
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 4
bantime = 48h

You can also have a look at the ipset-blacklist project to block botnets, etc.. proactively in the firewall:
https://github.com/trick77/ipset-blacklist
Be aware that this can lead to false positives (blocking your users) if not carefully selecting the blocklists

 

It seems you only have fail2ban to block ssh attacks.
You can use fail2ban-client status to see active jails. Then you can see IPs blocked on this jail with fail2ban-client status jailname, ie. fail2ban-client status sshd

 

thanks for your two concepts, your are true , and now I learn 2 new thing. i tried "fail2ban-client status" with postfix, dovecot and pure-fptd, but I only see ban info in sshd seccion

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 6
|- Total banned: 7
`- Banned IP list: 103.40.247.105 104.211.216.173 106.13.18.86 178.128.56.89 49.234.108.12 65.97.0.208​

but in the other option

Status for the jail: postfix ( similar en dovecot and pure fptd)
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:​

but i activate in /etc/fail2ban/jail.local

with your setting ( copy and paste) [ i had POSTFIX seccion, not POSTFIX-SASL]
but after reboot, same info in "fail2ban-client status" & if I check mail.log , i see same entries ( after reboot with new settings)

Apr 9 14:36:52 mnsvr postfix/smtpd[1734]: connect from unknown[141.98.10.141]
Apr 9 14:36:54 mnsvr postfix/smtpd[1734]: warning: unknown[141.98.10.141]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 9 14:36:54 mnsvr postfix/smtpd[1734]: disconnect from unknown[141.98.10.141] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 9 14:36:54 mnsvr postfix/smtpd[1708]: warning: hostname ip-38-66.ZervDNS does not resolve to address 92.118.38.66: Name or service not known
Apr 9 14:36:54 mnsvr postfix/smtpd[1708]: connect from unknown[92.118.38.66]
Apr 9 14:37:01 mnsvr postfix/smtpd[2182]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
Apr 9 14:37:01 mnsvr postfix/smtpd[2182]: connect from unknown[92.118.38.82]
Apr 9 14:37:01 mnsvr postfix/smtpd[1708]: warning: unknown[92.118.38.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 9 14:37:01 mnsvr postfix/smtpd[1708]: disconnect from unknown[92.118.38.66] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 9 14:37:03 mnsvr postfix/smtpd[1734]: connect from unknown[45.142.195.2]
Apr 9 14:37:11 mnsvr postfix/smtpd[1734]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 9 14:37:11 mnsvr postfix/smtpd[1734]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 9 14:37:12 mnsvr postfix/smtpd[2182]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
why these data repaet so often? is it a user or a password? "UGFzc3dvcmQ6"
tx in advance​

 

they're not repeating all that often....

Apr 9 14:37:03 mnsvr postfix/smtpd[1734]: connect from unknown[45.142.195.2]
Apr 9 14:37:11 mnsvr postfix/smtpd[1734]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 9 14:37:11 mnsvr postfix/smtpd[1734]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 9 14:37:12 mnsvr postfix/smtpd[2182]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

all of that is only the logging for one single login attempt from that ip.
you're going to get very used to seeing that in the mail log file. there will be lots of them.

each set of log entries like above will result in a line like
2020-04-08 21:38:56,385 fail2ban.filter [931]: INFO [postfix-sasl] Found 45.142.192.2 - 2020-04-08 21:38:56

in your /var/log/fail2ban.log file.

notice they're timestamped, fail2ban will have a default findtime in jail.conf (or you can set a different time in each jail) eg 10 minutes.
if the number of times the ip is found exceeds the maxretry setting, within the specifed findtime period, it will ban the ip for whatever time period is set in bantime.

the ban is only logged in the fail2ban log, you won't see anything about it in the mail.log, you won't even see new entries like
Apr 9 14:37:03 mnsvr postfix/smtpd[1734]: connect from unknown[45.142.195.2]
for that banned ip being added to your mail.log file whilst the ban is in place.

if your only seeing, eg one or two login attempts from a specific ip in any, say, 15 minute period, it's not going to get banned, well, not unless your being extremely draconian on allowing failed login attempts.

 

tx soo much. the only question thar remain is "UGFzc3dvcmQ6"? what is this code?

 

he might find a Password if he does that...

 

tx I never imagine that this code was a standard code, i thought it was a ramdom password!!