within fail2ban I found now:
2022-03-28 16:11:13,286 fail2ban.filter [2583]: INFO [postfix-ddos] Ignore 93.245.xxx.xxx by dns
2022-03-28 16:11:19,294 fail2ban.filter [2583]: INFO [postfix-ddos] Ignore 93.245.xxx.xxx by dns
2022-03-28 16:11:19,295 fail2ban.filter [2583]: INFO [postfix-ddos] Ignore 93.245.xxx.xxx by dns
2022-03-28 16:11:19,295 fail2ban.filter [2583]: INFO [postfix-ddos] Ignore 93.245.xxx.xxx by dns
2022-03-28 16:11:19,699 fail2ban.filter [2583]: INFO [postfix-sasl-abuse] Ignore 93.245.xxx.xxx by dns
2022-03-28 16:11:20,503 fail2ban.filter [2583]: INFO [postfix-ddos] Ignore 93.245.xxx.xxx by dns
2022-03-28 16:11:30,521 fail2ban.filter [2583]: INFO [postfix-sasl-abuse] Ignore 93.245.xxx.xxx by dns
2022-03-28 16:11:53,563 fail2ban.filterpoll [2583]: WARNING Too many errors. Remove file '/var/log/roundcubemail/errors.log' from monitoring process
2022-03-28 16:11:53,564 fail2ban.filter [2583]: INFO Removed logfile: '/var/log/roundcubemail/errors.log'
2022-03-28 16:24:27,328 fail2ban.filter [2583]: INFO [postfix-sasl-abuse] Ignore 93.245.xxx.xxx by dns
2022-03-28 16:24:35,944 fail2ban.filter [2583]: INFO [postfix-sasl-abuse] Ignore 93.245.xxx.xxx by dns
But the credentials are accepted by the mailserver.
maillog:
[root@ns log]# cat maillog | grep 16:11:
Mar 27 16:11:20 ns rspamd[2003]: <u1dohr>; lua; bayes_expiry.lua:440: finished expiry step 1: 798 items checked, 8 significant (0 made persistent), 0 insignificant (0 ttls set), 0 common (0 discriminated), 790 infrequent (0 ttls set), 1 mean, 0 std
Mar 27 16:11:20 ns rspamd[2003]: <u1dohr>; lua; bayes_expiry.lua:440: finished expiry cycle in 1 steps: 798 items checked, 8 significant (0 made persistent), 0 insignificant (0 ttls set), 0 common (0 discriminated), 790 infrequent (0 ttls set), 1 mean, 0 std
Mar 27 16:11:20 ns rspamd[2003]: <u1dohr>; lua; bayes_expiry.lua:447: tokens occurrences, in ham: {nil}
Mar 27 16:11:20 ns rspamd[2003]: <u1dohr>; lua; bayes_expiry.lua:447: tokens occurrences, in spam: {nil}
Mar 27 16:11:20 ns rspamd[2003]: <u1dohr>; lua; bayes_expiry.lua:447: tokens occurrences, total: {nil}
Mar 28 16:11:12 ns postfix/smtpd[5301]: connect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:12 ns rspamd[2150]: <5b05fe>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Mar 28 16:11:12 ns postfix/smtpd[5301]: lost connection after EHLO from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:12 ns postfix/smtpd[5301]: disconnect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:12 ns rspamd[2150]: <5b05fe>; milter; rspamd_milter_process_command: got connection from 93.245.xxx.xxx:30386
Mar 28 16:11:12 ns rspamd[2150]: <5b05fe>; proxy; proxy_milter_finish_handler: finished milter connection
Mar 28 16:11:18 ns postfix/smtpd[5301]: connect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:18 ns rspamd[2150]: <7ac5da>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Mar 28 16:11:18 ns postfix/smtpd[5301]: lost connection after EHLO from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:18 ns postfix/smtpd[5301]: disconnect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:18 ns rspamd[2150]: <7ac5da>; milter; rspamd_milter_process_command: got connection from 93.245.xxx.xxx:7502
Mar 28 16:11:18 ns rspamd[2150]: <7ac5da>; proxy; proxy_milter_finish_handler: finished milter connection
Mar 28 16:11:18 ns postfix/smtpd[5301]: connect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:18 ns rspamd[2150]: <a29343>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Mar 28 16:11:19 ns postfix/smtpd[5315]: connect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:19 ns rspamd[2150]: <656d4a>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Mar 28 16:11:19 ns postfix/smtpd[5315]: lost connection after UNKNOWN from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:19 ns postfix/smtpd[5315]: disconnect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:19 ns rspamd[2150]: <656d4a>; milter; rspamd_milter_process_command: got connection from 93.245.xxx.xxx:27241
Mar 28 16:11:19 ns rspamd[2150]: <656d4a>; proxy; proxy_milter_finish_handler: finished milter connection
Mar 28 16:11:19 ns postfix/smtpd[5301]: lost connection after EHLO from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:19 ns postfix/smtpd[5301]: disconnect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:19 ns rspamd[2150]: <a29343>; milter; rspamd_milter_process_command: got connection from 93.245.xxx.xxx:59426
Mar 28 16:11:19 ns rspamd[2150]: <a29343>; proxy; proxy_milter_finish_handler: finished milter connection
Mar 28 16:11:19 ns postfix/smtpd[5315]: connect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:19 ns rspamd[2150]: <d57e60>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Mar 28 16:11:19 ns postfix/smtpd[5316]: connect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Mar 28 16:11:19 ns postfix/smtpd[5316]: A3408D59F: client=xyz.dip0.t-ipconnect.de[93.245.xxx.xxx], sasl_method=PLAIN, sasl_username=max_mustermann@myserver.de
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; milter; rspamd_milter_process_command: got connection from 93.245.xxx.xxx:5634
Mar 28 16:11:19 ns postfix/cleanup[5327]: A3408D59F: message-id=<em68229a26-627b-47e5-88d7-57ba4ca1028a@9a317569.com>
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; proxy; rspamd_message_parse: loaded message; id: <em68229a26-627b-47e5-88d7-57ba4ca1028a@9a317569.com>; queue-id: <A3408D59F>; size: 723; checksum: <9a6c9bd034dd53966b62c6a6d6aeadd7>
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; proxy; rspamd_mime_part_detect_language: detected part language: de
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; lua; settings.lua:366: <em68229a26-627b-47e5-88d7-57ba4ca1028a@9a317569.com> apply static settings authenticated (id = 1937017268); authenticated matched; priority high
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; lua; greylist.lua:204: skip greylisting for local networks and/or authorized users
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; lua; spf.lua:186: skip SPF checks for local networks and authorized users
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; lua; dmarc.lua:349: skip DMARC checks as either SPF or DKIM were not checked
Mar 28 16:11:19 ns rspamd[2150]: <ce3393>; lua; once_received.lua:99: Skipping once_received for authenticated user or local network
Mar 28 16:11:20 ns rspamd[2150]: <ce3393>; proxy; rspamd_symcache_finalize_item: slow rule: RSPAMD_EMAILBL(281): 374.85 ms; enable slow timer delay
Mar 28 16:11:20 ns rspamd[2150]: <ce3393>; proxy; rspamd_symcache_finalize_item: slow rule: RSPAMD_URIBL(270): 381.85 ms
Mar 28 16:11:20 ns rspamd[2150]: <ce3393>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 0; 200 required
Mar 28 16:11:20 ns rspamd[2150]: <ce3393>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 2; 200 required
Mar 28 16:11:20 ns rspamd[2150]: <ce3393>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
Mar 28 16:11:20 ns rspamd[2150]: <ce3393>; lua; greylist.lua:318: Score too low - skip greylisting
Mar 28 16:11:20 ns rspamd[2150]: <ce3393>; proxy; rspamd_task_write_log: id: <em68229a26-627b-47e5-88d7-57ba4ca1028a@9a317569.com>, qid: <A3408D59F>, ip: 93.245.xxx.xxx, user: max_mustermann@myserver.de, from: <max_mustermann@myserver.de>, (default: F (no action): [-0.10/20.00] [MIME_GOOD(-0.10){text/plain;},ASN(0.00){asn:3320, ipnet:93.192.0.0/10, country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_REPLYTO(0.00){max_mustermann@myserver.de;},HAS_X_PRIO_FIVE(0.00){5;},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},REPLYTO_EQ_FROM(0.00){},TO_DN_ALL(0.00){},TO_EQ_FROM(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 723, time: 595.319ms, dns req: 9, digest: <9a6c9bd034dd53966b62c6a6d6aeadd7>, rcpts: <max_mustermann@myserver.de>, mime_rcpts: <max_mustermann@myserver.de>, settings_id: authenticated
Mar 28 16:11:20 ns rspamd[2150]: <ce3393>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 175 regexps total, 46 regexps cached, 0B scanned using pcre, 1.21KiB scanned total
Mar 28 16:11:20 ns opendkim[1272]: A3408D59F: DKIM-Signature field added (s=default, d=myserver.de)
Mar 28 16:11:20 ns postfix/qmgr[2026]: A3408D59F: from=<max_mustermann@myserver.de>, size=1078, nrcpt=1 (queue active)
Mar 28 16:11:20 ns dovecot: lmtp(5338): Connect from local
Mar 28 16:11:20 ns postfix/lmtp[5337]: A3408D59F: to=<max_mustermann@myserver.de>, relay=mail.myserver.de[/var/run/dovecot/lmtp], delay=0.81, delays=0.77/0.02/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <max_mustermann@myserver.de> cE7JGAjCQWLaFAAAnFmNGg Saved)
Mar 28 16:11:20 ns dovecot: lmtp(max_mustermann@myserver.de): save: box=INBOX, uid=1, msgid=<em68229a26-627b-47e5-88d7-57ba4ca1028a@9a317569.com>, from="Max Mustermann" <max_mustermann@myserver.de>, subject=Testnachricht, flags=()
Mar 28 16:11:20 ns dovecot: lmtp(max_mustermann@myserver.de): cE7JGAjCQWLaFAAAnFmNGg: sieve: msgid=<em68229a26-627b-47e5-88d7-57ba4ca1028a@9a317569.com>: stored mail into mailbox 'INBOX'
Mar 28 16:11:20 ns dovecot: lmtp(5338): Disconnect from local: Successful quit
Mar 28 16:11:20 ns postfix/qmgr[2026]: A3408D59F: removed
Mar 28 16:11:20 ns postfix/smtpd[5316]: disconnect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:20 ns rspamd[2150]: <278ffc>; proxy; proxy_milter_finish_handler: finished milter connection
Mar 28 16:11:20 ns postfix/smtpd[5315]: lost connection after UNKNOWN from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:20 ns postfix/smtpd[5315]: disconnect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:20 ns rspamd[2150]: <d57e60>; milter; rspamd_milter_process_command: got connection from 93.245.xxx.xxx:37968
Mar 28 16:11:20 ns rspamd[2150]: <d57e60>; proxy; proxy_milter_finish_handler: finished milter connection
Mar 28 16:11:29 ns postfix/smtpd[5316]: connect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:29 ns rspamd[2150]: <1553fb>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Mar 28 16:11:30 ns postfix/smtpd[5316]: 6544CD59F: client=xyz.dip0.t-ipconnect.de[93.245.xxx.xxx], sasl_method=PLAIN, sasl_username=md_admin
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; milter; rspamd_milter_process_command: got connection from 93.245.xxx.xxx:12730
Mar 28 16:11:30 ns postfix/cleanup[5327]: 6544CD59F: message-id=<em11fbf03f-c0b4-4d7e-bed0-de5b515c511d@9a317569.com>
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; proxy; rspamd_message_parse: loaded message; id: <em11fbf03f-c0b4-4d7e-bed0-de5b515c511d@9a317569.com>; queue-id: <6544CD59F>; size: 690; checksum: <aebf31420bafab037ad4e4272a44e8e7>
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; proxy; rspamd_mime_part_detect_language: detected part language: de
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; lua; settings.lua:366: <em11fbf03f-c0b4-4d7e-bed0-de5b515c511d@9a317569.com> apply static settings authenticated (id = 1937017268); authenticated matched; priority high
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; lua; greylist.lua:204: skip greylisting for local networks and/or authorized users
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; proxy; dkim_symbol_callback: skip DKIM checks for local networks and authorized users
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; lua; spf.lua:186: skip SPF checks for local networks and authorized users
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; lua; dmarc.lua:349: skip DMARC checks as either SPF or DKIM were not checked
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; lua; once_received.lua:99: Skipping once_received for authenticated user or local network
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 0; 200 required
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; proxy; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 2; 200 required
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; proxy; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; lua; greylist.lua:318: Score too low - skip greylisting
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; proxy; rspamd_task_write_log: id: <em11fbf03f-c0b4-4d7e-bed0-de5b515c511d@9a317569.com>, qid: <6544CD59F>, ip: 93.245.xxx.xxx, user: md_admin, from: <md_admin@myserver.de>, (default: F (no action): [-0.10/20.00] [MIME_GOOD(-0.10){text/plain;},ASN(0.00){asn:3320, ipnet:93.192.0.0/10, country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_REPLYTO(0.00){md_admin@myserver.de;},HAS_X_PRIO_FIVE(0.00){5;},MIME_TRACE(0.00){0:+;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},REPLYTO_EQ_FROM(0.00){},TO_DN_ALL(0.00){},TO_EQ_FROM(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 690, time: 170.680ms, dns req: 9, digest: <aebf31420bafab037ad4e4272a44e8e7>, rcpts: <md_admin@myserver.de>, mime_rcpts: <md_admin@myserver.de>, settings_id: authenticated
Mar 28 16:11:30 ns rspamd[2150]: <1553fb>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 1 regexps matched, 175 regexps total, 44 regexps cached, 0B scanned using pcre, 1.14KiB scanned total
Mar 28 16:11:30 ns opendkim[1272]: 6544CD59F: DKIM-Signature field added (s=default, d=myserver.de)
Mar 28 16:11:30 ns postfix/qmgr[2026]: 6544CD59F: from=<md_admin@myserver.de>, size=995, nrcpt=1 (queue active)
Mar 28 16:11:30 ns dovecot: lmtp(5338): Connect from local
Mar 28 16:11:30 ns dovecot: lmtp(md_admin@myserver.de): save: box=INBOX, uid=44, msgid=<em11fbf03f-c0b4-4d7e-bed0-de5b515c511d@9a317569.com>, from=Marko-Admin <md_admin@myserver.de>, subject=Testnachricht, flags=()
Mar 28 16:11:30 ns dovecot: lmtp(md_admin@myserver.de): AFtFLRLCQWLaFAAAnFmNGg: sieve: msgid=<em11fbf03f-c0b4-4d7e-bed0-de5b515c511d@9a317569.com>: stored mail into mailbox 'INBOX'
Mar 28 16:11:30 ns postfix/lmtp[5337]: 6544CD59F: to=<md_admin@myserver.de>, relay=mail.myserver.de[/var/run/dovecot/lmtp], delay=0.42, delays=0.41/0/0/0, dsn=2.0.0, status=sent (250 2.0.0 <md_admin@myserver.de> AFtFLRLCQWLaFAAAnFmNGg Saved)
Mar 28 16:11:30 ns postfix/qmgr[2026]: 6544CD59F: removed
Mar 28 16:11:30 ns dovecot: lmtp(5338): Disconnect from local: Successful quit
Mar 28 16:11:30 ns postfix/smtpd[5316]: disconnect from xyz.dip0.t-ipconnect.de[93.245.xxx.xxx]
Mar 28 16:11:30 ns rspamd[2150]: <a40cf0>; proxy; proxy_milter_finish_handler: finished milter connection
Mar 28 16:11:55 ns rspamd[2151]: <r1xb3x>; lua; bayes_expiry.lua:440: finished expiry step 1: 798 items checked, 8 significant (0 made persistent), 0 insignificant (0 ttls set), 0 common (0 discriminated), 790 infrequent (0 ttls set), 1 mean, 0 std
Mar 28 16:11:55 ns rspamd[2151]: <r1xb3x>; lua; bayes_expiry.lua:440: finished expiry cycle in 1 steps: 798 items checked, 8 significant (0 made persistent), 0 insignificant (0 ttls set), 0 common (0 discriminated), 790 infrequent (0 ttls set), 1 mean, 0 std
Mar 28 16:11:55 ns rspamd[2151]: <r1xb3x>; lua; bayes_expiry.lua:447: tokens occurrences, in ham: {nil}
Mar 28 16:11:55 ns rspamd[2151]: <r1xb3x>; lua; bayes_expiry.lua:447: tokens occurrences, in spam: {nil}
Mar 28 16:11:55 ns rspamd[2151]: <r1xb3x>; lua; bayes_expiry.lua:447: tokens occurrences, total: {nil}
Mar 28 16:14:51 ns postfix/anvil[5304]: statistics: max connection rate 5/60s for (smtp:93.245.xxx.xxx) at Mar 28 16:11:19
Mar 28 16:14:51 ns postfix/anvil[5304]: statistics: max connection count 2 for (smtp:93.245.xxx.xxx) at Mar 28 16:11:19
Mar 28 16:14:51 ns postfix/anvil[5304]: statistics: max cache size 2 at Mar 28 16:11:19