I noticed numerous SMTPD authentication attacks being received on my server. My configuration is a bit unique in that I don’t have any ports open from the outside world to my server except from my anit-spam provider and yet I was seeing attacks on the port from 185.211.245.170
mail.warn.1:Oct 9 12:05:45 (servernameremoved) postfix/smtpd[20794]: warning: unknown[185.211.245.170]: SASL LOGIN authentication failed: authentication failure
After some digging I found that there is a stunnel configured inside of the image released by UCS. Upon further examination I found that the tunnel is actually where the attacks are originating from.
My solution? Low level metric route the IP to a destination directly connected to eth0 that does not exist.
Perhaps this may help others who are seeing the same.
Also – its worth looking into who owns that IP and how they are making their way through the stunnel that seems to be designed for use with oath, not this stuff.