I keep seeing this over and over again and would like to stop it before it gets to postfix.

netfilter-mailcow-1  | 200.37.179.83 matched rule id 3 (warning: unknown[200.37.179.83]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=shannon.kersh@dccathome.com)
netfilter-mailcow-1  | 1 more attempts in the next 600 seconds until 200.37.0.0/16 is banned
netfilter-mailcow-1  | 115.62.236.28 matched rule id 3 (warning: unknown[115.62.236.28]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=shannon.kersh)

Now I see this. It might be a completely different issue:

netfilter-mailcow-1  | Exception in thread Thread-2 (autopurge):
netfilter-mailcow-1  | Traceback (most recent call last):
netfilter-mailcow-1  |   File "/usr/lib/python3.11/threading.py", line 1045, in _bootstrap_inner
netfilter-mailcow-1  |     self.run()
netfilter-mailcow-1  |   File "/usr/lib/python3.11/threading.py", line 982, in run
netfilter-mailcow-1  |     self._target(*self._args, **self._kwargs)
netfilter-mailcow-1  |   File "/app/main.py", line 283, in autopurge
netfilter-mailcow-1  |     MAX_ATTEMPTS = int(f2boptions['max_attempts'])
netfilter-mailcow-1  |                        ~~~~~~~~~~^^^^^^^^^^^^^^^^
netfilter-mailcow-1  | KeyError: 'max_attempts''

  • No, not that I am aware of. I undertake no further action and let netfilter do its job. I can see a lot of login attempts but this is barely noticeable, my CPU is always at 2-5%. In the 1,5 years I run mailcow I never experienced any strain because of this. I have more headaches about legit iOS users on ActiveSync šŸ˜‰

Why you want to stop it? Netfilter will eventually block it, thats its job. And you donā€™t want to punish legit users that enter a wrong/old password a couple of times in a row.
The other thing seems to relate to ā€œautopurgeā€ which unbans IPs after a certain amount of time.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Since he is not a legitimate user and keeps trying from it seems like all different ip addresses . I wouldnā€™t mind banning each ip address he tries to use permanently if there was an automated way to do that.
I know it is doing its job but what if there were dozens of these kinds of attempts going on wouldnā€™t that put a strain on the server?

No, not that I am aware of. I undertake no further action and let netfilter do its job. I can see a lot of login attempts but this is barely noticeable, my CPU is always at 2-5%. In the 1,5 years I run mailcow I never experienced any strain because of this. I have more headaches about legit iOS users on ActiveSync šŸ˜‰

Agree, thatā€™s pretty much standard noise. Iā€™ve seen quite a lot of similar behaviours lately though, with the brute force for a specific user coming from a wide number of IPs which would no trigger F2B. But, as I said, thatā€™s pretty much background noise you can easily ignore.

No one is typing