From owner-freebsd-questions@FreeBSD.ORG Tue Jun 4 19:13:39 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B7BEBD02 for ; Tue, 4 Jun 2013 19:13:39 +0000 (UTC) (envelope-from feld@feld.me) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 3610E1791 for ; Tue, 4 Jun 2013 19:13:36 +0000 (UTC) Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 1054121098 for ; Tue, 4 Jun 2013 15:13:32 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute6.internal (MEProxy); Tue, 04 Jun 2013 15:13:33 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h= content-type:to:subject:references:date:mime-version :content-transfer-encoding:from:message-id:in-reply-to; s= mesmtp; bh=E4zaI/CX2RD4VO6sk6iR+7kJlqQ=; b=qr/QFfdMUqDC8gm209JWO VEFrOXPpmR50kQBg26Lf01fqV8x5o0qDv3lLvcdP0LSpXpLuU2raFIBjagiOYDzP uF82KiB8WiUREYrEWX/YJ7veKWyu9qAKS09T/Bto6DmHUq5c+N4QFpfupt1wCe15 Sj8as8zQVfpaLWqXXfJlBg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:to:subject:references:date :mime-version:content-transfer-encoding:from:message-id :in-reply-to; s=smtpout; bh=E4zaI/CX2RD4VO6sk6iR+7kJlqQ=; b=AW5I 47hLA0KocvfwFgRSidUeKszLgvBceM3Gal4K0usslEvKMzhSWTHVcIc060LUyiaC jeMY9Bt41yTl5flzP0G7Gbfyr3e16wNGeR3qhiMpMJqInauvDXSv9tKisOSR4HiD ZFJ7DptG753yGyF09aPjd2cYu0JIc44vBHTBjro= X-Sasl-enc: zaRCVlLq/8iaG0V9cqw+zMpdbSyyXPZ9quY4wC5n9K8p 1370373212 Received: from markf.office.supranet.net (unknown [66.170.8.18]) by mail.messagingengine.com (Postfix) with ESMTPA id A1EC52001F7 for ; Tue, 4 Jun 2013 15:13:32 -0400 (EDT) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes To: freebsd-questions@freebsd.org Subject: Re: Can sasl/sendmail Report IP Of Failed Access? References: <51AE0C04.2050507@tundraware.com> Date: Tue, 04 Jun 2013 14:13:32 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Mark Felder" Message-ID: In-Reply-To: <51AE0C04.2050507@tundraware.com> User-Agent: Opera Mail/12.15 (FreeBSD) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jun 2013 19:13:39 -0000 On Tue, 04 Jun 2013 10:47:16 -0500, Tim Daneliuk wrote: > I am seeing login dictionary attacks on a FreeBSD mail server being > reported. Is there a way to determine the IPs that are doing this > so they can be blocked at the firewall? auth.log only > notes the attempted user name, not the IP of origin. I don't use sendmail, but aren't the login attempts at least logged in maillog as well? If so, you could use fail2ban to ban them. We do this with postfix/exim/dovecot/etc.