Hello everyone:

I have a server with postfix installed and I have many messages saying: "sasl login authentication failed: ugfzc3dvcmq6".

My question is, how do I block automatic to port 25 containing "sasl login authentication failed: ugfzc3dvcmq6" and allow a maximum of 7 login failed?

Thank you very much in advance for the help.
regards

Hello,

Still no response I see. I think this has to do with the very SASL encryption that renders the MT layer 7 filtering worthless (I presume).

BTW: did you know 'UGFzc3dvcmQ6' is 'Password' encoded in base64, same for 'VXNlcm5hbWU6' which is 'Username'

Regards,
Paul

All this is useless.

What he asked is a way to shoot down before knocking on the door.
But actually that expression is generated as reply to knocking on the (postfix or whatever) door.
An aggressive fail2ban after 1 retry with that user and pass in particular is the way to go.

And yes, all this is useless because they never stop and this is somehow harmless unless you have... no door or an open door, this is what they are after.
I agree to kick first then ask the rest 24h later, but they need to knock once...

Kind of Off-topic: what would be the impact of a rule with 5000 IPs LIST on a MT 4core ARM 64bit 1.(something) Ghz? Let's say AX3 and a far off CCR2004.
That If someone still insist on having a ban list for this kind of stuff.

Regards,
Paul