| SYSTEM INFORMATION | |
|---|---|
| OS type and version: | Debian Linux 10.11 |
| Webmin version: | 1.981 |
| Virtualmin version: | 6.17-3 Pro |
| Related products version: | Postfix v3.4.14, Fail2Ban v0.10.2 |
I am seeing a constant (about one every minute or two) entries in /var/log/auth.log for failed smtp connection attempts, with no IP address listed:
Dec 23 11:43:59 mondo saslauthd[650]: pam_unix(smtp:auth): check pass; user unknown
Dec 23 11:43:59 mondo saslauthd[650]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Dec 23 11:44:01 mondo saslauthd[650]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Dec 23 11:44:01 mondo saslauthd[650]: : auth failure: [user=postmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Dec 23 11:44:27 mondo saslauthd[653]: pam_unix(smtp:auth): check pass; user unknown
Dec 23 11:44:27 mondo saslauthd[653]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Dec 23 11:44:29 mondo saslauthd[653]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Dec 23 11:44:29 mondo saslauthd[653]: : auth failure: [user=reception] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Fail2Ban has the postfix-sasl jail enabled and everything there is default. But it does not seem to be picking the above entries up and blocking them:
fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 5
| |- Total failed: 43
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Any suggestions on what I should check?