I checked my maillog today and I am getting thousands of "SASL LOGIN authentication failed" from comcast in Seattle. postfix/smtpd[29140]: warning: 74-93-110-77-Seattle.hfc.comcastbusiness.net[74.93.110.77]: SASL LOGIN authentication failed: I've tried to block that ip with: iptables -A INPUT -s 74.93.110.77 -j DROP and iptables -A INPUT -s 74.93.110.77 -p tcp --destination-port 80 -j DROP but I still see login failures. I did a google and hfc.comcastbusiness.net is listed in one black list. I only have about 5-10 virt email users that I forward any necessary mail. So who ever this is should not be trying to get in my system. Is there anything else I can do? Thanks LP
I had the same problem but with: 24-178-116-148.dhcp.thtn.ga.charter.com[24.178.116.148]: SASL LOGIN authentication failed: authentication failure. I think we need to put some limitations and block if someone tries to login to many times.
Thank you falko. I have now installed fail2ban and activated it on SASL with the following regex "\[<HOST>\]: SASL LOGIN authentication failed: authentication failure". And checked the regex with: fail2ban-regex /var/log/mail.log "\[<HOST>\]: SASL LOGIN authentication failed: authentication failure" It found 3500 matches so hope that does the trick .