Re: [exim] [exim-dev] "25 lost" is giving me useful clues

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] [exim-dev] "25 lost" is giving me useful clues
On 09/03/2018 10:03 PM, Phil Pennock via Exim-users wrote:
> On 2018-08-30 at 12:27 +0200, Mark Elkins via Exim-dev wrote:
>> What this is telling me is someone at 157.0.116.189 is making
>> connections to my mail server - presumable to see if they can detect the
>> accounts of users on my machine?



Interesting variables to log from a notquit-acl include

    $smtp_notquit_reason
    $smtp_command_history


In particular, one pattern for the latter that earns IPs an immediate
firewall entry on my systems is "^EHLO,(RSET,)?AUTH". I don't advertise
AUTH on an in-clear EHLO, but it doesn't stop them trying...

--
Cheers,
Jeremy