Re: [exim] AUTH command used when not advertised

Take a look at fail2ban.

--
Jeremy McSpadden | Flux Labs
Local - 850-250-5590x501<tel:850-250-5590;501> | Mobile - 850-890-2543<tel:850-890-2543>
Fax - 850-254-2955<tel:850-254-2955> | Toll Free - 877-699-FLUX<tel:877-699-FLUX>
Web - http://www.fluxlabs.net<http://www.fluxlabs.net/>


On Apr 17, 2015, at 7:50 PM, Always Learning <exim@???<mailto:exim@u65.u22.net>> wrote:


Exim 4.72 (Centos 6)


A MTA experienced 20 minutes (circa 1,722 attempts) of:

(from logwatch)

2015-04-17 22:56:16 SMTP protocol error in "AUTH LOGIN"
H=(SRV) [88.119.254.244]:50272 I=[xx.xx.xx.xx]:25 AUTH
command used when not advertised: 1 Time(s)

Have changed:-

   smtp_accept_max                   = 5
   smtp_accept_max_per_connection    = 5
   smtp_accept_max_per_host          = 5

whilst assuming it will not prevent future abuse.


If I create acl_smtp_auth = acl_reject_auth

acl_reject_auth:

      warn message = ${run{SHELL -c "PHP EXIM_ALERT
                         (code to bloke IP address in IPtables......)

      deny message = (rejection message) ......

will this ACL only intercept log-on attempts ?


Thank you.

--
Regards,

Paul.
England, EU.      Je suis Charlie.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/