postfix mailserver auth failed

Question

I have an postfix + amavis mailserver, everything works fine except that somehow I will receive an spam email from me to me... so I dig and I make the following mods:

vi /etc/postfix/main.cf

smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, check_sender_access hash:/etc/postfix/access/sender_access, reject_unknown_sender_domain, warn_if_reject reject_unverified_sender

mkdir /etc/postfix/access

vi /etc/postfix/access/sender_access

gigi.com 550 YOU ARE NOT ME.

postmap /etc/postfix/access/sender_access

/etc/init.d/postfix restart 

Now I have to see if I receive mails from me :)

Anyway, in the /var/log/mail.log I have the following messages that are annoying to me in the security manner, will be good, wrong?

Can I make something to stop those requests from outside? Are too many... Could be an security breach? I mean, those request are minute by minute... wt#?

I attach some of the mail.log

Oct 13 22:06:34 mail postfix/smtpd[8698]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 13 22:06:34 mail postfix/smtpd[8698]: disconnect from unknown[191.96.249.61]
Oct 13 22:06:34 mail postfix/verify[8777]: close database /var/lib/postfix/verify_cache.db: No such file or directory (possible Berkeley DB bug)
Oct 13 22:06:35 mail postfix/smtpd[8722]: warning: unknown[191.96.249.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 13 22:06:35 mail postfix/smtpd[8722]: disconnect from unknown[191.96.249.26]
Oct 13 22:06:35 mail postfix/smtpd[8702]: connect from unknown[191.96.249.13]
Oct 13 22:06:43 mail postfix/smtpd[8702]: warning: unknown[191.96.249.13]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 13 22:06:43 mail postfix/smtpd[8702]: disconnect from unknown[191.96.249.13]
Oct 13 22:06:56 mail postfix/smtpd[8703]: connect from unknown[191.96.249.61]
Oct 13 22:06:57 mail postfix/smtpd[8698]: connect from unknown[191.96.249.13]
Oct 13 22:06:58 mail postfix/smtpd[8702]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26
Oct 13 22:06:58 mail postfix/smtpd[8702]: connect from unknown[191.96.249.26]
Oct 13 22:07:00 mail postfix/smtpd[8703]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 13 22:07:00 mail postfix/smtpd[8703]: disconnect from unknown[191.96.249.61]
Oct 13 22:07:06 mail postfix/smtpd[8698]: warning: unknown[191.96.249.13]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 13 22:07:06 mail postfix/smtpd[8698]: disconnect from unknown[191.96.249.13]
Oct 13 22:07:07 mail postfix/smtpd[8702]: warning: unknown[191.96.249.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 13 22:07:07 mail postfix/smtpd[8702]: disconnect from unknown[191.96.249.26]
Oct 13 22:07:20 mail postfix/smtpd[8722]: connect from unknown[191.96.249.13]

Thanks guys!

Answer 1

Oct 13 22:07:07 mail postfix/smtpd[8702]: warning: unknown[191.96.249.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 13 22:07:07 mail postfix/smtpd[8702]: disconnect from unknown[191.96.249.26]
Oct 13 22:07:20 mail postfix/smtpd[8722]: connect from unknown[191.96.249.13]

It just means that someone from IP 191.96.249.26 is trying to authenticate on your mailserver but he fails, because he is using wrong password. According to whois on this IP, this IP belongs to hosting provider dmzhost.co - you could try contact them and report abuse, say that on of their IPs is trying to hack into your mail server.

Beside that, you could block this IP address via iptables for example, on the long run you could integrate something as fail2ban on your server to block IP after X amount of failed tries. Or use something like CSF (ConfigServer Security & Firewall) instead of fail2ban. Or you could limit authentication tries directly in the postfix as suggested here:

# RATE THROTTLING
smtpd_client_connection_rate_limit = 20
smtpd_error_sleep_time             = 10s
smtpd_soft_error_limit             = 3
smtpd_hard_error_limit             = 5