I am wondering if CrowdSec is currently covering the “SASL LOGIN authentication failed” scenario. I have read this thread (one year old) New install, postfix / IMAP and it appears that Fail2Ban does but Crowdsec not yet?
In any case, I have the postfix scenarios installed but my log is full of authentication attempts, with individual IPs trying 20 times and more.
postfix/submission/smtpd: warning: unknown[18.104.22.168]: SASL LOGIN authentication failed:
As a workaround a created a script which filters out those IPs followed by
cscli decisions add --ip $ip
Should Crowdsec catch these already? If not, any plans?