Topic: Dovecot SASL Authentication Component Denial of Service attack
==== Required information ====
- iRedMail version (check /etc/iredmail-release): 097
- Linux/BSD distribution name and version: cento7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I have 2 minutes long attack in maillog from 149.202.30.121
Jan 29 23:14:12 mail postfix/qmgr[12246]: 1C69A40EE82C: removed
Jan 29 23:14:15 mail postfix/postscreen[27446]: CONNECT from [149.202.30.121]:61752 to [192.168.1.89]:25
Jan 29 23:14:15 mail postfix/postscreen[27446]: PREGREET 13 after 0.07 from [149.202.30.121]:61752: EHLO vejgQi\r\n
Jan 29 23:14:16 mail postfix/postscreen[27446]: HANGUP after 0.07 from [149.202.30.121]:61752 in tests after SMTP handshake
fail2ban didn't blocked this ip. Traffic was droped by my sophos utm: Dovecot SASL Authentication Component Denial of Service.
Sholud fail2ban detect it?
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.