After this attack (from mail.err.1) there is nothing in the new mail.err log, so nothing since what was written to mail.err.1 on the 15th, though I had more attacks and had to get the ip addresses from the mail.info log since nothing new was written to mail.err. I finally got all the ip's that were attacking blocked and things are back to normal except still nothing is being written to mail.err. What can I do to get new info written to the mail.err log? Mar 15 04:21:46 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:46 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:46 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:46 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:46 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:46 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:46 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174 Mar 15 04:21:47 server3 pop3d: Maximum connection limit reached for ::ffff:200.143.142.174
How do you block them? With iptables/route? Then the attackers don't even get to the point where anything is written to the mail error log.
I was manually blocking them because fail2ban was not working on SASL, so there should be entries in mail.err. Please see http://www.howtoforge.com/forums/showthread.php?p=275763#post275763
Sorry, manually adding the ip to iptables. Anyway, on the 20th it was filled with "Maximum connection limit reached" for a single ip, so I guess it's working--I didn't realize it only logged those as errors.
