diff --git a/.index.json b/.index.json
index c4dfaaf714b..e98ecb56c36 100644
--- a/.index.json
+++ b/.index.json
@@ -4496,7 +4496,7 @@
   },
   "crowdsecurity/postfix": {
    "path": "collections/crowdsecurity/postfix.yaml",
-   "version": "0.2",
+   "version": "0.3",
    "versions": {
     "0.1": {
      "digest": "81767bab91a7a071d8d32f3227f2391744eef5ba6a4cf916a96ec8183d050ae0",
@@ -4505,10 +4505,14 @@
     "0.2": {
      "digest": "b4cceea527807a9fe70f673ef34e0d7d4372267d665fbbe164f0d6a1a3531a2e",
      "deprecated": false
+    },
+    "0.3": {
+     "digest": "850515aa2593b279ddf33b2018b1c437f2481f961df8cb06e1f18ac53d14e110",
+     "deprecated": false
     }
    },
    "long_description": "IyMgUG9zdGZpeCBjb2xsZWN0aW9uCgpBIGNvbGxlY3Rpb24gZm9yIHBvc3RmaXgKICogcG9zdGZpeCBsb2cgcGFyc2VycwogKiBwb3N0c2NyZWVuIGxvZyBwYXJzZXIKICogcG9zdGZpeCBzY2VuYXJpbyBicnV0ZWZvcmNlIHNwYW0gYXR0ZW1wdAogKiBwb3N0c2NyZWVuIHJiIGF0dGVtcHQgYmxhY2tsaXN0CgpUaGlzIGNvbGxlY3Rpb24gbW9zdGx5IGFpbXMgYXQgZ2V0dGluZyBhIHNpbWlsYXIgc3BhbSBwcm90ZWN0aW9uIGFzCnRoZSBub3JtYWwgZmFpbDJiYW4gcG9zdGZpeCBjb25maWd1cmF0aW9uIGFsdGhvdWdoIHBvc3RzY3JlZW4gbG9nCm1hbmFnZW1lbnQgaXNuJ3QgaW5jbHVkZWQgYnkgZGVmYXVsdCBieSBmYWlsMmJhbi4KCgojIyBBY3F1aXNpdGlvbiB0ZW1wbGF0ZQoKRXhhbXBsZSBhY3F1aXNpdGlvbiBmb3IgdGhpcyBjb2xsZWN0aW9uIDoKCmBgYHlhbWwKZmlsZW5hbWVzOgogIC0gL3Zhci9sb2cvbWFpbC5sb2cKbGFiZWxzOgogIHR5cGU6IHN5c2xvZwpgYGAKCgpub3RlcyA6CiAtICBJZiB5b3UgYXJlIHVzaW5nIGBzeXNsb2dgLCBzZXQgdHlwZSB0byBgc3lzbG9nYCBpbnN0ZWFkCiAtICBEZXBlbmRpbmcgb24geW91ciBkaXN0cmlidXRpb24vT1MsIHBhdGhzIHRvIGxvZyBmaWxlcyBtaWdodCBjaGFuZ2UKIC0gIE9ubHkgcmVsZXZhbnQgaWYgeW91IGFyZSBtYW51YWxseSBpbnN0YWxsaW5nIGNvbGxlY3Rpb24K",
-   "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvcG9zdGZpeC1sb2dzCiAgLSBjcm93ZHNlY3VyaXR5L3Bvc3RzY3JlZW4tbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L3Bvc3RmaXgtc3BhbQpkZXNjcmlwdGlvbjogInBvc3RmaXggc3VwcG9ydCA6IHBhcnNlciBhbmQgc3BhbW1lciBkZXRlY3Rpb24iCmF1dGhvcjogY3Jvd2RzZWN1cml0eQp0YWdzOgogIC0gbGludXgKICAtIHNwYW0KICAtIGJydXRlZm9yY2UK",
+   "content": "cGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvcG9zdGZpeC1sb2dzCiAgLSBjcm93ZHNlY3VyaXR5L3Bvc3RzY3JlZW4tbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L3Bvc3RmaXgtc3BhbQogIC0gY3Jvd2RzZWN1cml0eS9wb3N0Zml4LXJlbGF5LWRlbmllZAogIC0gY3Jvd2RzZWN1cml0eS9wb3N0Zml4LWhlbG8tcmVqZWN0ZWQKZGVzY3JpcHRpb246ICJwb3N0Zml4IHN1cHBvcnQgOiBwYXJzZXIgYW5kIHNwYW1tZXIgZGV0ZWN0aW9uIgphdXRob3I6IGNyb3dkc2VjdXJpdHkKdGFnczoKICAtIGxpbnV4CiAgLSBzcGFtCiAgLSBicnV0ZWZvcmNlCg==",
    "description": "postfix support : parser and spammer detection",
    "author": "crowdsecurity",
    "labels": null,
@@ -4517,7 +4521,9 @@
     "crowdsecurity/postscreen-logs"
    ],
    "scenarios": [
-    "crowdsecurity/postfix-spam"
+    "crowdsecurity/postfix-spam",
+    "crowdsecurity/postfix-relay-denied",
+    "crowdsecurity/postfix-helo-rejected"
    ]
   },
   "crowdsecurity/proftpd": {
@@ -7672,7 +7678,7 @@
   "crowdsecurity/postfix-logs": {
    "path": "parsers/s01-parse/crowdsecurity/postfix-logs.yaml",
    "stage": "s01-parse",
-   "version": "0.6",
+   "version": "0.7",
    "versions": {
     "0.1": {
      "digest": "da6b8ecae70e951905697c92fc0c198c2148041bf96e33658d485818c37d7414",
@@ -7697,9 +7703,13 @@
     "0.6": {
      "digest": "3bfd0f21a91cdee11ef4c03ae617fcd5b43967dcfc5f13592be637a4c8bf2b1f",
      "deprecated": false
+    },
+    "0.7": {
+     "digest": "69418bc0ba6fb999af9c2e0a4e23848836ec664a646adaa14cf64763364a8846",
+     "deprecated": false
     }
    },
-   "content": "IyBDb3B5cmlnaHQgKGMpIDIwMTQsIDIwMTUsIFJ1ZHkgR2V2YWVydAojIENvcHlyaWdodCAoYykgMjAyMCBDcm93ZHNlYwoKIyBQZXJtaXNzaW9uIGlzIGhlcmVieSBncmFudGVkLCBmcmVlIG9mIGNoYXJnZSwgdG8gYW55IHBlcnNvbiBvYnRhaW5pbmcKIyBhIGNvcHkgb2YgdGhpcyBzb2Z0d2FyZSBhbmQgYXNzb2NpYXRlZCBkb2N1bWVudGF0aW9uIGZpbGVzICh0aGUKIyAiU29mdHdhcmUiKSwgdG8gZGVhbCBpbiB0aGUgU29mdHdhcmUgd2l0aG91dCByZXN0cmljdGlvbiwgaW5jbHVkaW5nCiMgd2l0aG91dCBsaW1pdGF0aW9uIHRoZSByaWdodHMgdG8gdXNlLCBjb3B5LCBtb2RpZnksIG1lcmdlLCBwdWJsaXNoLAojIGRpc3RyaWJ1dGUsIHN1YmxpY2Vuc2UsIGFuZC9vciBzZWxsIGNvcGllcyBvZiB0aGUgU29mdHdhcmUsIGFuZCB0bwojIHBlcm1pdCBwZXJzb25zIHRvIHdob20gdGhlIFNvZnR3YXJlIGlzIGZ1cm5pc2hlZCB0byBkbyBzbywgc3ViamVjdCB0bwojIHRoZSBmb2xsb3dpbmcgY29uZGl0aW9uczoKCiMgVGhlIGFib3ZlIGNvcHlyaWdodCBub3RpY2UgYW5kIHRoaXMgcGVybWlzc2lvbiBub3RpY2Ugc2hhbGwgYmUKIyBpbmNsdWRlZCBpbiBhbGwgY29waWVzIG9yIHN1YnN0YW50aWFsIHBvcnRpb25zIG9mIHRoZSBTb2Z0d2FyZS4KCiMgVEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICJBUyBJUyIsIFdJVEhPVVQgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsCiMgRVhQUkVTUyBPUiBJTVBMSUVELCBJTkNMVURJTkcgQlVUIE5PVCBMSU1JVEVEIFRPIFRIRSBXQVJSQU5USUVTIE9GCiMgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBTkQKIyBOT05JTkZSSU5HRU1FTlQuIElOIE5PIEVWRU5UIFNIQUxMIFRIRSBBVVRIT1JTIE9SIENPUFlSSUdIVCBIT0xERVJTIEJFCiMgTElBQkxFIEZPUiBBTlkgQ0xBSU0sIERBTUFHRVMgT1IgT1RIRVIgTElBQklMSVRZLCBXSEVUSEVSIElOIEFOIEFDVElPTgojIE9GIENPTlRSQUNULCBUT1JUIE9SIE9USEVSV0lTRSwgQVJJU0lORyBGUk9NLCBPVVQgT0YgT1IgSU4gQ09OTkVDVElPTgojIFdJVEggVEhFIFNPRlRXQVJFIE9SIFRIRSBVU0UgT1IgT1RIRVIgREVBTElOR1MgSU4gVEhFIFNPRlRXQVJFLgoKIyBTb21lIG9mIHRoZSBncm9rcyB1c2VkIGhlcmUgYXJlIGZyb20gaHR0cHM6Ly9naXRodWIuY29tL3JnZXZhZXJ0L2dyb2stcGF0dGVybnMvYmxvYi9tYXN0ZXIvZ3Jvay5kL3Bvc3RmaXhfcGF0dGVybnMKb25zdWNjZXNzOiBuZXh0X3N0YWdlCmZpbHRlcjogImV2dC5QYXJzZWQucHJvZ3JhbSBlbmRzV2l0aCAnL3NtdHBkJyIKbmFtZTogY3Jvd2RzZWN1cml0eS9wb3N0Zml4LWxvZ3MKcGF0dGVybl9zeW50YXg6CiAgUE9TVEZJWF9IT1NUTkFNRTogJygle0hPU1ROQU1FfXx1bmtub3duKScKICBQT1NURklYX0NPTU1BTkQ6ICcoQVVUSHxTVEFSVFRMU3xDT05ORUNUfEVITE98SEVMT3xSQ1BUKScKICBQT1NURklYX0FDVElPTjogJ2Rpc2NhcmR8ZHVubm98ZmlsdGVyfGhvbGR8aWdub3JlfGluZm98cHJlcGVuZHxyZWRpcmVjdHxyZXBsYWNlfHJlamVjdHx3YXJuJwogIFJFTEFZOiAnKD86JXtIT1NUTkFNRTpyZW1vdGVfaG9zdH0oPzpcWyV7SVA6cmVtb3RlX2FkZHJ9XF0oPzo6WzAtOV0rKC5bMC05XSspPyk/KT8pJwpkZXNjcmlwdGlvbjogIlBhcnNlIHBvc3RmaXggbG9ncyIKbm9kZXM6CiAgLSBncm9rOgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBwYXR0ZXJuOiAnbG9zdCBjb25uZWN0aW9uIGFmdGVyICV7REFUQTpzbXRwX3Jlc3BvbnNlfSBmcm9tICV7UkVMQVl9JwogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogbG9nX3R5cGVfZW5oCiAgICAgICAgICB2YWx1ZTogc3BhbS1hdHRlbXB0CiAgLSBncm9rOgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgICBwYXR0ZXJuOiAnd2FybmluZzogJXtQT1NURklYX0hPU1ROQU1FOnJlbW90ZV9ob3N0fVxbJXtJUDpyZW1vdGVfYWRkcn1cXTogU0FTTCAoKD9pKUxPR0lOfFBMQUlOfCg/OkNSQU18RElHRVNUKS1NRDUpIGF1dGhlbnRpY2F0aW9uIGZhaWxlZDole0dSRUVEWURBVEE6bWVzc2FnZV9mYWlsdXJlfScKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlX2VuaAogICAgICAgICAgdmFsdWU6IHNwYW0tYXR0ZW1wdAogIC0gZ3JvazoKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgcGF0dGVybjogJ05PUVVFVUU6ICV7UE9TVEZJWF9BQ1RJT046YWN0aW9ufTogJXtEQVRBOmNvbW1hbmR9IGZyb20gJXtSRUxBWX06ICV7R1JFRURZREFUQTpyZWFzb259JwogICAgICBzdGF0aWNzOgogICAgICAgIC0gbWV0YTogYWN0aW9uCiAgICAgICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5hY3Rpb24iICAgICAgICAKc3RhdGljczoKICAgIC0gbWV0YTogc2VydmljZQogICAgICB2YWx1ZTogcG9zdGZpeAogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQucmVtb3RlX2FkZHIiCiAgICAtIG1ldGE6IHNvdXJjZV9ob3N0bmFtZQogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5yZW1vdGVfaG9zdCIKICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgdmFsdWU6IHBvc3RmaXgKCg==",
+   "content": "IyBDb3B5cmlnaHQgKGMpIDIwMTQsIDIwMTUsIFJ1ZHkgR2V2YWVydAojIENvcHlyaWdodCAoYykgMjAyMCBDcm93ZHNlYwoKIyBQZXJtaXNzaW9uIGlzIGhlcmVieSBncmFudGVkLCBmcmVlIG9mIGNoYXJnZSwgdG8gYW55IHBlcnNvbiBvYnRhaW5pbmcKIyBhIGNvcHkgb2YgdGhpcyBzb2Z0d2FyZSBhbmQgYXNzb2NpYXRlZCBkb2N1bWVudGF0aW9uIGZpbGVzICh0aGUKIyAiU29mdHdhcmUiKSwgdG8gZGVhbCBpbiB0aGUgU29mdHdhcmUgd2l0aG91dCByZXN0cmljdGlvbiwgaW5jbHVkaW5nCiMgd2l0aG91dCBsaW1pdGF0aW9uIHRoZSByaWdodHMgdG8gdXNlLCBjb3B5LCBtb2RpZnksIG1lcmdlLCBwdWJsaXNoLAojIGRpc3RyaWJ1dGUsIHN1YmxpY2Vuc2UsIGFuZC9vciBzZWxsIGNvcGllcyBvZiB0aGUgU29mdHdhcmUsIGFuZCB0bwojIHBlcm1pdCBwZXJzb25zIHRvIHdob20gdGhlIFNvZnR3YXJlIGlzIGZ1cm5pc2hlZCB0byBkbyBzbywgc3ViamVjdCB0bwojIHRoZSBmb2xsb3dpbmcgY29uZGl0aW9uczoKCiMgVGhlIGFib3ZlIGNvcHlyaWdodCBub3RpY2UgYW5kIHRoaXMgcGVybWlzc2lvbiBub3RpY2Ugc2hhbGwgYmUKIyBpbmNsdWRlZCBpbiBhbGwgY29waWVzIG9yIHN1YnN0YW50aWFsIHBvcnRpb25zIG9mIHRoZSBTb2Z0d2FyZS4KCiMgVEhFIFNPRlRXQVJFIElTIFBST1ZJREVEICJBUyBJUyIsIFdJVEhPVVQgV0FSUkFOVFkgT0YgQU5ZIEtJTkQsCiMgRVhQUkVTUyBPUiBJTVBMSUVELCBJTkNMVURJTkcgQlVUIE5PVCBMSU1JVEVEIFRPIFRIRSBXQVJSQU5USUVTIE9GCiMgTUVSQ0hBTlRBQklMSVRZLCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBTkQKIyBOT05JTkZSSU5HRU1FTlQuIElOIE5PIEVWRU5UIFNIQUxMIFRIRSBBVVRIT1JTIE9SIENPUFlSSUdIVCBIT0xERVJTIEJFCiMgTElBQkxFIEZPUiBBTlkgQ0xBSU0sIERBTUFHRVMgT1IgT1RIRVIgTElBQklMSVRZLCBXSEVUSEVSIElOIEFOIEFDVElPTgojIE9GIENPTlRSQUNULCBUT1JUIE9SIE9USEVSV0lTRSwgQVJJU0lORyBGUk9NLCBPVVQgT0YgT1IgSU4gQ09OTkVDVElPTgojIFdJVEggVEhFIFNPRlRXQVJFIE9SIFRIRSBVU0UgT1IgT1RIRVIgREVBTElOR1MgSU4gVEhFIFNPRlRXQVJFLgoKIyBTb21lIG9mIHRoZSBncm9rcyB1c2VkIGhlcmUgYXJlIGZyb20gaHR0cHM6Ly9naXRodWIuY29tL3JnZXZhZXJ0L2dyb2stcGF0dGVybnMvYmxvYi9tYXN0ZXIvZ3Jvay5kL3Bvc3RmaXhfcGF0dGVybnMKb25zdWNjZXNzOiBuZXh0X3N0YWdlCmZpbHRlcjogImV2dC5QYXJzZWQucHJvZ3JhbSBlbmRzV2l0aCAnL3NtdHBkJyIKbmFtZTogY3Jvd2RzZWN1cml0eS9wb3N0Zml4LWxvZ3MKcGF0dGVybl9zeW50YXg6CiAgUE9TVEZJWF9IT1NUTkFNRTogJygle0hPU1ROQU1FfXx1bmtub3duKScKICBQT1NURklYX0NPTU1BTkQ6ICcoQVVUSHxTVEFSVFRMU3xDT05ORUNUfEVITE98SEVMT3xSQ1BUKScKICBQT1NURklYX0FDVElPTjogJ2Rpc2NhcmR8ZHVubm98ZmlsdGVyfGhvbGR8aWdub3JlfGluZm98cHJlcGVuZHxyZWRpcmVjdHxyZXBsYWNlfHJlamVjdHx3YXJuJwogIFJFTEFZOiAnKD86JXtIT1NUTkFNRTpyZW1vdGVfaG9zdH0oPzpcWyV7SVA6cmVtb3RlX2FkZHJ9XF0oPzo6WzAtOV0rKC5bMC05XSspPyk/KT8pJwogIFNNVFBfQkFTSUNfU1RBVFVTX0NPREU6ICdbMC05XXszfScgIzI1MAogIFNNVFBfRU5IQU5DRURfU1RBVFVTX0NPREU6ICdbMC05Ll0rJyAjMi4wLjAKICBTTVRQX1JFVFVSTl9DT0RFUzogJyV7U01UUF9CQVNJQ19TVEFUVVNfQ09ERTpzbXRwX2Jhc2ljX3N0YXR1c19jb2RlfSggJXtTTVRQX0VOSEFOQ0VEX1NUQVRVU19DT0RFOnNtdHBfZW5oYW5jZWRfc3RhdHVzX2NvZGV9KT8nICMyNTAgMi4wLjAKZGVzY3JpcHRpb246ICJQYXJzZSBwb3N0Zml4IGxvZ3MiCm5vZGVzOgogIC0gZ3JvazoKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgcGF0dGVybjogJ2xvc3QgY29ubmVjdGlvbiBhZnRlciAle0RBVEE6c210cF9yZXNwb25zZX0gZnJvbSAle1JFTEFZfScKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlX2VuaAogICAgICAgICAgdmFsdWU6IHNwYW0tYXR0ZW1wdAogIC0gZ3JvazoKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgcGF0dGVybjogJ3dhcm5pbmc6ICV7UE9TVEZJWF9IT1NUTkFNRTpyZW1vdGVfaG9zdH1cWyV7SVA6cmVtb3RlX2FkZHJ9XF06IFNBU0wgKCg/aSlMT0dJTnxQTEFJTnwoPzpDUkFNfERJR0VTVCktTUQ1KSBhdXRoZW50aWNhdGlvbiBmYWlsZWQ6JXtHUkVFRFlEQVRBOm1lc3NhZ2VfZmFpbHVyZX0nCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZV9lbmgKICAgICAgICAgIHZhbHVlOiBzcGFtLWF0dGVtcHQKICAtIGdyb2s6CiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHBhdHRlcm46ICdOT1FVRVVFOiAle1BPU1RGSVhfQUNUSU9OOmFjdGlvbn06ICV7REFUQTpjb21tYW5kfSBmcm9tICV7UkVMQVl9OiAle1NNVFBfUkVUVVJOX0NPREVTOnNtdHBfcmV0dXJuX2NvZGVzfSAle0dSRUVEWURBVEE6cmVhc29ufScKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGFjdGlvbgogICAgICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuYWN0aW9uIgogICAgbm9kZXM6CiAgICAgICMjIFdlIGNoZWNrIGlmIHRoZSByZWFzb24gaXMgbm90IGEgc2VydmljZSB1bmF2YWlsYWJsZSBpZiBzbyB3ZSBwYXJzZXIgbW9yZSBpbmZvcm1hdGlvbgogICAgICAtIGZpbHRlcjogImV2dC5QYXJzZWQucmVhc29uICE9ICdTZXJ2aWNlIHVuYXZhaWxhYmxlJyIKICAgICAgICBncm9rOgogICAgICAgICAgYXBwbHlfb246IHJlYXNvbgogICAgICAgICAgcGF0dGVybjogIjwle0RBVEE6aGVsb30+OiAle0dSRUVEWURBVEE6cmVhc29ufTsgJXtHUkVFRFlEQVRBOmt2SXRlbXN9IgogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIHBhcnNlZDogdW51c2VkCiAgICAgICAgICAgIGV4cHJlc3Npb246IFBhcnNlS1YoZXZ0LlBhcnNlZC5rdkl0ZW1zLCBldnQuVW5tYXJzaGFsZWQsICJwb3N0Zml4IikKICAgICAgICAgIC0gbWV0YTogcmVhc29uCiAgICAgICAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLnJlYXNvbiIKc3RhdGljczoKICAgIC0gbWV0YTogc2VydmljZQogICAgICB2YWx1ZTogcG9zdGZpeAogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQucmVtb3RlX2FkZHIiCiAgICAtIG1ldGE6IHNvdXJjZV9ob3N0bmFtZQogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5yZW1vdGVfaG9zdCIKICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgdmFsdWU6IHBvc3RmaXgKCg==",
    "description": "Parse postfix logs",
    "author": "crowdsecurity",
    "labels": null
@@ -14074,6 +14084,64 @@
     "spoofable": 0
    }
   },
+  "crowdsecurity/postfix-helo-rejected": {
+   "path": "scenarios/crowdsecurity/postfix-helo-rejected.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "521fce8ce65b0693dd82399e001ec547f097b33a568501e49e0df22cbc281fc7",
+     "deprecated": false
+    }
+   },
+   "long_description": "IyMjIFBvc3RmaXggaGVsbyByZWplY3RlZAoKUG9zdGZpeCBoZWxvIHJlamVjdGVkIGlzIGEgbG9nIG1lc3NhZ2UgZ2VuZXJhdGVkIHdoZW4gYSBjbGllbnQgc2VuZHMgYSBIRUxPIG9yIEVITE8gY29tbWFuZCB0aGF0IGlzIHJlamVjdGVkIGJ5IHRoZSBzZXJ2ZXIuIFRoaXMgY2FuIGhhcHBlbiBmb3IgYSB2YXJpZXR5IG9mIHJlYXNvbnMsIHN1Y2ggYXMgdGhlIGNsaWVudCB1c2luZyBhbiBpbnZhbGlkIGhvc3RuYW1lIG9yIHRoZSBzZXJ2ZXIgYmVpbmcgY29uZmlndXJlZCB0byByZWplY3QgY2VydGFpbiB0eXBlcyBvZiBIRUxPIGNvbW1hbmRzLgoKWW91IGNhbiBzZWUgdGhlIGNvbmZpZ3VyYXRpb24gZm9yIHRoZSByZXN0cmljdGlvbnMgcGxhY2VkIG9uIEhFTE8gY29tbWFuZHMgd2l0aGluIGh0dHBzOi8vd3d3LnBvc3RmaXgub3JnL3Bvc3Rjb25mLjUuaHRtbCNzbXRwZF9oZWxvX3Jlc3RyaWN0aW9ucwo=",
+   "content": "IyBwb3N0Zml4IGhlbG8gcmVqZWN0ZWQgYmVjYXVzZSBpdCBkaWQgbm90IG1hdGNoIHBvc3RmaXggcmVzdHJpY3Rpb25zCnR5cGU6IGxlYWt5Cm5hbWU6IGNyb3dkc2VjdXJpdHkvcG9zdGZpeC1oZWxvLXJlamVjdGVkCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IEhFTE8gcmVqZWN0aW9ucyIKZmlsdGVyOiAiZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ3Bvc3RmaXgnICYmIGV2dC5NZXRhLmFjdGlvbiA9PSAncmVqZWN0JyAmJiBldnQuTWV0YS5yZWFzb24gc3RhcnRzV2l0aCAnSGVsbyBjb21tYW5kIHJlamVjdGVkJyIKcmVmZXJlbmNlczoKICAtIGh0dHBzOi8vd3d3LnBvc3RmaXgub3JnL3Bvc3Rjb25mLjUuaHRtbCNzbXRwZF9oZWxvX3Jlc3RyaWN0aW9ucwpncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKY2FwYWNpdHk6IDEKbGVha3NwZWVkOiA2MDBzCmJsYWNraG9sZTogMW0KcmVwcm9jZXNzOiBmYWxzZQpsYWJlbHM6CiAgc2VydmljZTogcG9zdGZpeAogIHJlbWVkaWF0aW9uOiB0cnVlCiAgY29uZmlkZW5jZTogMgogIHNwb29mYWJsZTogMAogIGNsYXNzaWZpY2F0aW9uOgogIC0gYXR0YWNrLlQxNTk1CiAgLSBhdHRhY2suVDE1OTIKICBiZWhhdmlvcjogInNtdHA6c3BhbSIKICBsYWJlbDogIlBvc3RmaXggSGVsbyBSZWplY3RlZCIK",
+   "description": "Detect HELO rejections",
+   "author": "crowdsecurity",
+   "references": [
+    "https://www.postfix.org/postconf.5.html#smtpd_helo_restrictions"
+   ],
+   "labels": {
+    "behavior": "smtp:spam",
+    "classification": [
+     "attack.T1595",
+     "attack.T1592"
+    ],
+    "confidence": 2,
+    "label": "Postfix Helo Rejected",
+    "remediation": true,
+    "service": "postfix",
+    "spoofable": 0
+   }
+  },
+  "crowdsecurity/postfix-relay-denied": {
+   "path": "scenarios/crowdsecurity/postfix-relay-denied.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "ef60099a5b179d375f626157c6856ae28fa8d2b850fba96c6a4f4f94bf53227c",
+     "deprecated": false
+    }
+   },
+   "long_description": "IyMjIFBvc3RmaXggcmVsYXkgZGVuaWVkIGFjY2VzcwoKUG9zdGZpeCByZWxheSBkZW5pZWQgYWNjZXNzIGlzIGEgbG9nIG1lc3NhZ2UgZ2VuZXJhdGVkIHdoZW4gYSBjbGllbnQgdHJpZXMgdG8gcmVsYXkgYW4gZW1haWwgdGhyb3VnaCB0aGUgc2VydmVyIHdpdGhvdXQgYmVpbmcgYXV0aG9yaXplZCB0byBkbyBzby4gVGhpcyBjYW4gaGFwcGVuIGZvciBhIHZhcmlldHkgb2YgcmVhc29ucywgc3VjaCBhcyB0aGUgY2xpZW50IG5vdCBiZWluZyBhdXRoZW50aWNhdGVkIG9yIHRoZSBzZXJ2ZXIgbm90IGJlaW5nIGNvbmZpZ3VyZWQgdG8gYWxsb3cgcmVsYXlpbmcgZnJvbSB0aGUgY2xpZW50J3MgSVAgYWRkcmVzcy4KCk1hbnkgYm90cyBhbmQgc3BhbW1lcnMgdHJ5IHRvIGV4cGxvaXQgb3BlbiByZWxheXMgdG8gc2VuZCBzcGFtIGVtYWlscywgc28gaXQncyBpbXBvcnRhbnQgdG8gbW9uaXRvciBmb3IgdGhlc2UgdHlwZXMgb2YgZXZlbnRzIGFuZCB0YWtlIGFjdGlvbiB0byBwcmV2ZW50IHVuYXV0aG9yaXplZCByZWxheWluZy4K",
+   "content": "IyBwb3N0Zml4IHJlbGF5IGFjY2VzcyBkZW5pZWQKdHlwZTogbGVha3kKbmFtZTogY3Jvd2RzZWN1cml0eS9wb3N0Zml4LXJlbGF5LWRlbmllZApkZXNjcmlwdGlvbjogIkRldGVjdCBtdWx0aXBsZSBvcGVuIHJlbGF5IGF0dGVtcHRzIgpmaWx0ZXI6ICJldnQuTWV0YS5sb2dfdHlwZSA9PSAncG9zdGZpeCcgJiYgZXZ0Lk1ldGEuYWN0aW9uID09ICdyZWplY3QnICYmIGV2dC5NZXRhLnJlYXNvbiA9PSAnUmVsYXkgYWNjZXNzIGRlbmllZCciCnJlZmVyZW5jZXM6CiAgLSBodHRwczovL2VuLndpa2lwZWRpYS5vcmcvd2lraS9PcGVuX21haWxfcmVsYXkKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmNhcGFjaXR5OiAxCmxlYWtzcGVlZDogNjAwcwpibGFja2hvbGU6IDFtCnJlcHJvY2VzczogZmFsc2UKbGFiZWxzOgogIHNlcnZpY2U6IHBvc3RmaXgKICByZW1lZGlhdGlvbjogdHJ1ZQogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBjbGFzc2lmaWNhdGlvbjoKICAtIGF0dGFjay5UMTU5NQogIC0gYXR0YWNrLlQxMTkwCiAgYmVoYXZpb3I6ICJzbXRwOnNwYW0iCiAgbGFiZWw6ICJQb3N0Zml4IFJlbGF5IERlbmllZCIK",
+   "description": "Detect multiple open relay attempts",
+   "author": "crowdsecurity",
+   "references": [
+    "https://en.wikipedia.org/wiki/Open_mail_relay"
+   ],
+   "labels": {
+    "behavior": "smtp:spam",
+    "classification": [
+     "attack.T1595",
+     "attack.T1190"
+    ],
+    "confidence": 3,
+    "label": "Postfix Relay Denied",
+    "remediation": true,
+    "service": "postfix",
+    "spoofable": 0
+   }
+  },
   "crowdsecurity/postfix-spam": {
    "path": "scenarios/crowdsecurity/postfix-spam.yaml",
    "version": "0.4",
diff --git a/.tests/postfix-helo/config.yaml b/.tests/postfix-helo/config.yaml
new file mode 100644
index 00000000000..bd71785d208
--- /dev/null
+++ b/.tests/postfix-helo/config.yaml
@@ -0,0 +1,11 @@
+parsers:
+- crowdsecurity/postfix-logs
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+scenarios:
+- ./scenarios/crowdsecurity/postfix-helo-rejected.yaml
+postoverflows:
+- ""
+log_file: postfix-spam.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/postfix-helo/parser.assert b/.tests/postfix-helo/parser.assert
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/.tests/postfix-helo/postfix-spam.log b/.tests/postfix-helo/postfix-spam.log
new file mode 100644
index 00000000000..97738b35529
--- /dev/null
+++ b/.tests/postfix-helo/postfix-spam.log
@@ -0,0 +1,2 @@
+2024-08-29T01:08:59.764590+00:00 machine postfix/smtpd[1938053]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 504 5.5.2 <WIN-9QL4SDRB93L>: Helo command rejected: need fully-qualifiedhostname; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>
+2024-08-29T01:09:08.989498+00:00 machine postfix/smtpd[1938053]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 504 5.5.2 <WIN-9QL4SDRB93L>: Helo command rejected: need fully-qualifiedhostname; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>
\ No newline at end of file
diff --git a/.tests/postfix-helo/scenario.assert b/.tests/postfix-helo/scenario.assert
new file mode 100644
index 00000000000..4f9bf3f34e8
--- /dev/null
+++ b/.tests/postfix-helo/scenario.assert
@@ -0,0 +1,29 @@
+len(results) == 1
+"192.168.1.1" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1"
+results[0].Overflow.Sources["192.168.1.1"].Range == ""
+results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip"
+results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1"
+results[0].Overflow.Alert.Events[0].GetMeta("action") == "reject"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "postfix-spam.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "machine"
+results[0].Overflow.Alert.Events[0].GetMeta("reason") == "Helo command rejected: need fully-qualifiedhostname"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-08-29T01:08:59.76459Z"
+results[0].Overflow.Alert.Events[1].GetMeta("action") == "reject"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "postfix-spam.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "machine"
+results[0].Overflow.Alert.Events[1].GetMeta("reason") == "Helo command rejected: need fully-qualifiedhostname"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.1"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-08-29T01:09:08.989498Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/postfix-helo-rejected"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 2
diff --git a/.tests/postfix-logs/parser.assert b/.tests/postfix-logs/parser.assert
index ef107cd331d..77c0c5c7d42 100644
--- a/.tests/postfix-logs/parser.assert
+++ b/.tests/postfix-logs/parser.assert
@@ -1,8 +1,8 @@
 len(results) == 4
-len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 5
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
-results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure"
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "warning: unknown[192.168.1.1]: SASL LOGIN authentication failed: authentication failure"
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "26897"
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/smtpd"
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "May 11 04:02:36"
@@ -12,7 +12,7 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "host1
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog"
-results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[1.2.3.4]: 554 5.7.1 Service unavailable"
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 5.7.1 Service unavailable"
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "26897"
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/smtpd"
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "May 11 04:02:37"
@@ -20,14 +20,44 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"] =
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file"
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "host1"
 results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false
-len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 2
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 504 5.5.2 <WIN-9QL4SDRB93L>: Helo command rejected: need fully-qualified hostname; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "60203"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp8601"] == "2024-08-26T01:33:38.572449+00:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "machine"
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 454 4.7.1 <spammer@domain.tld>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "3887453"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp8601"] == "2024-08-25T12:31:56.154748+00:00"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "machine"
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from static.1.1.168.192.client.domain.xyz[192.168.1.1]: 454 4.7.1 <spameri@tiscali.it>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "3967801"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jun 04 22:24:28"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "machine"
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false
+len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 5
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog"
-results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "warning: unknown[192.168.1.1]: SASL LOGIN authentication failed: authentication failure"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message_failure"] == " authentication failure"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "26897"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/smtpd"
-results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "192.168.1.1"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "May 11 04:02:36"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"] == "postfix-logs.log"
@@ -37,18 +67,21 @@ results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] =
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "host1"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown"
-results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "192.168.1.1"
 results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["action"] == "reject"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["command"] == "RCPT"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog"
-results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[1.2.3.4]: 554 5.7.1 Service unavailable"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 5.7.1 Service unavailable"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "26897"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/smtpd"
-results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["reason"] == "554 5.7.1 Service unavailable"
-results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["reason"] == "Service unavailable"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "192.168.1.1"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_basic_status_code"] == "554"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_enhanced_status_code"] == "5.7.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_return_codes"] == "554 5.7.1"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "May 11 04:02:37"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["action"] == "reject"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"] == "postfix-logs.log"
@@ -57,16 +90,106 @@ results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "p
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "host1"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown"
-results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "192.168.1.1"
 results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false
-len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 2
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["helo"] == "WIN-9QL4SDRB93L"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["kvItems"] == "from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 504 5.5.2 <WIN-9QL4SDRB93L>: Helo command rejected: need fully-qualified hostname; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "60203"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "192.168.1.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp8601"] == "2024-08-26T01:33:38.572449+00:00"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "machine"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "192.168.1.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["from"] == "<spammer@domain.tld>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["helo"] == "<WIN-9QL4SDRB93L>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["to"] == "<spammer@domain.tld>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["helo"] == "spammer@domain.tld"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["kvItems"] == "from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 454 4.7.1 <spammer@domain.tld>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "3887453"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["reason"] == "Relay access denied"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "192.168.1.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_basic_status_code"] == "454"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_enhanced_status_code"] == "4.7.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_return_codes"] == "454 4.7.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp8601"] == "2024-08-25T12:31:56.154748+00:00"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "machine"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["reason"] == "Relay access denied"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "192.168.1.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["from"] == "<spammer@domain.tld>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["helo"] == "<WIN-CLJ1B0GQ6JP>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["to"] == "<spammer@domain.tld>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["command"] == "RCPT"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["helo"] == "spameri@tiscali.it"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["kvItems"] == "from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from static.1.1.168.192.client.domain.xyz[192.168.1.1]: 454 4.7.1 <spameri@tiscali.it>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "3967801"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["reason"] == "Relay access denied"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "192.168.1.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "static.1.1.168.192.client.domain.xyz"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_basic_status_code"] == "454"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_enhanced_status_code"] == "4.7.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_return_codes"] == "454 4.7.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jun 04 22:24:28"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["action"] == "reject"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "machine"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["reason"] == "Relay access denied"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "static.1.1.168.192.client.domain.xyz"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "192.168.1.1"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["helo"] == "<WIN-CLJ1B0GQ6JP>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["to"] == "<spammer@domain.tld>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["from"] == "<spammer@domain.tld>"
+results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 5
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "warning: unknown[192.168.1.1]: SASL LOGIN authentication failed: authentication failure"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message_failure"] == " authentication failure"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "26897"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/smtpd"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.168.1.1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "May 11 04:02:36"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "postfix-logs.log"
@@ -76,7 +199,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_en
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "host1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2024-05-11T04:02:36Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2024-05-11T04:02:36Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false
@@ -84,12 +207,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["action"] == "reject"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["command"] == "RCPT"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[1.2.3.4]: 554 5.7.1 Service unavailable"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 5.7.1 Service unavailable"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "26897"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/smtpd"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["reason"] == "554 5.7.1 Service unavailable"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["reason"] == "Service unavailable"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.168.1.1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_basic_status_code"] == "554"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_enhanced_status_code"] == "5.7.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_return_codes"] == "554 5.7.1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "May 11 04:02:37"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["action"] == "reject"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "postfix-logs.log"
@@ -98,8 +224,104 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"]
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "host1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown"
-results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.1"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2024-05-11T04:02:37Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2024-05-11T04:02:37Z"
 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["helo"] == "WIN-9QL4SDRB93L"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["kvItems"] == "from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 504 5.5.2 <WIN-9QL4SDRB93L>: Helo command rejected: need fully-qualified hostname; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "60203"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "192.168.1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_basic_status_code"] == "504"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_return_codes"] == "504 5.5.2"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp8601"] == "2024-08-26T01:33:38.572449+00:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "machine"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2024-08-26T01:33:38.572449Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2024-08-26T01:33:38.572449Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["from"] == "<spammer@domain.tld>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["helo"] == "<WIN-9QL4SDRB93L>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["to"] == "<spammer@domain.tld>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["helo"] == "spammer@domain.tld"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["kvItems"] == "from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 454 4.7.1 <spammer@domain.tld>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "3887453"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["reason"] == "Relay access denied"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "192.168.1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_basic_status_code"] == "454"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_enhanced_status_code"] == "4.7.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_return_codes"] == "454 4.7.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp8601"] == "2024-08-25T12:31:56.154748+00:00"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "machine"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["reason"] == "Relay access denied"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.168.1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2024-08-25T12:31:56.154748Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2024-08-25T12:31:56.154748Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["from"] == "<spammer@domain.tld>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["helo"] == "<WIN-CLJ1B0GQ6JP>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["to"] == "<spammer@domain.tld>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["command"] == "RCPT"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["helo"] == "spameri@tiscali.it"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["kvItems"] == "from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from static.1.1.168.192.client.domain.xyz[192.168.1.1]: 454 4.7.1 <spameri@tiscali.it>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "3967801"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/smtpd"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["reason"] == "Relay access denied"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "192.168.1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "static.1.1.168.192.client.domain.xyz"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_basic_status_code"] == "454"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_enhanced_status_code"] == "4.7.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_return_codes"] == "454 4.7.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jun 04 22:24:28"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["action"] == "reject"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"] == "postfix-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "machine"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["reason"] == "Relay access denied"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "static.1.1.168.192.client.domain.xyz"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.168.1.1"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2024-06-04T22:24:28Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2024-06-04T22:24:28Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["from"] == "<spammer@domain.tld>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["helo"] == "<WIN-CLJ1B0GQ6JP>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["to"] == "<spammer@domain.tld>"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false
 len(results["success"][""]) == 0
diff --git a/.tests/postfix-logs/postfix-logs.log b/.tests/postfix-logs/postfix-logs.log
index 9d877b8fa97..2579b153c22 100644
--- a/.tests/postfix-logs/postfix-logs.log
+++ b/.tests/postfix-logs/postfix-logs.log
@@ -1,3 +1,5 @@
-May 11 04:02:36 host1 postfix/smtpd[26897]: warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
-May 11 04:02:37 host1 postfix/smtpd[26897]: NOQUEUE: reject: RCPT from unknown[1.2.3.4]: 554 5.7.1 Service unavailable
-
+May 11 04:02:36 host1 postfix/smtpd[26897]: warning: unknown[192.168.1.1]: SASL LOGIN authentication failed: authentication failure
+May 11 04:02:37 host1 postfix/smtpd[26897]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 554 5.7.1 Service unavailable
+2024-08-26T01:33:38.572449+00:00 machine postfix/smtpd[60203]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 504 5.5.2 <WIN-9QL4SDRB93L>: Helo command rejected: need fully-qualified hostname; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>
+2024-08-25T12:31:56.154748+00:00 machine postfix/smtpd[3887453]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 454 4.7.1 <spammer@domain.tld>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>
+Jun 04 22:24:28 machine postfix/smtpd[3967801]: NOQUEUE: reject: RCPT from static.1.1.168.192.client.domain.xyz[192.168.1.1]: 454 4.7.1 <spameri@tiscali.it>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>
diff --git a/.tests/postfix-relay/config.yaml b/.tests/postfix-relay/config.yaml
new file mode 100644
index 00000000000..a73f17be5ea
--- /dev/null
+++ b/.tests/postfix-relay/config.yaml
@@ -0,0 +1,11 @@
+parsers:
+- crowdsecurity/postfix-logs
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+scenarios:
+- ./scenarios/crowdsecurity/postfix-relay-denied.yaml
+postoverflows:
+- ""
+log_file: postfix-spam.log
+log_type: syslog
+ignore_parsers: true
diff --git a/.tests/postfix-relay/parser.assert b/.tests/postfix-relay/parser.assert
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/.tests/postfix-relay/postfix-spam.log b/.tests/postfix-relay/postfix-spam.log
new file mode 100644
index 00000000000..99c5264fda4
--- /dev/null
+++ b/.tests/postfix-relay/postfix-spam.log
@@ -0,0 +1,2 @@
+2024-08-25T10:04:35.051238+00:00 machine postfix/smtpd[3814725]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 454 4.7.1 <spammer@domain.tld>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>
+2024-08-25T10:04:52.547326+00:00 machine postfix/smtpd[3814725]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 454 4.7.1 <spammer@domain.tld>: Relay access denied; from=<spammer@domain.tld> to=<spammer@domain.tld> proto=ESMTP helo=<WIN-9QL4SDRB93L>
\ No newline at end of file
diff --git a/.tests/postfix-relay/scenario.assert b/.tests/postfix-relay/scenario.assert
new file mode 100644
index 00000000000..df24115e57e
--- /dev/null
+++ b/.tests/postfix-relay/scenario.assert
@@ -0,0 +1,29 @@
+len(results) == 1
+"192.168.1.1" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["192.168.1.1"].IP == "192.168.1.1"
+results[0].Overflow.Sources["192.168.1.1"].Range == ""
+results[0].Overflow.Sources["192.168.1.1"].GetScope() == "Ip"
+results[0].Overflow.Sources["192.168.1.1"].GetValue() == "192.168.1.1"
+results[0].Overflow.Alert.Events[0].GetMeta("action") == "reject"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "postfix-spam.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "machine"
+results[0].Overflow.Alert.Events[0].GetMeta("reason") == "Relay access denied"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[0].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.1"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2024-08-25T10:04:35.051238Z"
+results[0].Overflow.Alert.Events[1].GetMeta("action") == "reject"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "postfix-spam.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "machine"
+results[0].Overflow.Alert.Events[1].GetMeta("reason") == "Relay access denied"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "postfix"
+results[0].Overflow.Alert.Events[1].GetMeta("source_hostname") == "unknown"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.1"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2024-08-25T10:04:52.547326Z"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/postfix-relay-denied"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 2
diff --git a/collections/crowdsecurity/postfix.yaml b/collections/crowdsecurity/postfix.yaml
index 8b1221788ae..e0b44776df4 100644
--- a/collections/crowdsecurity/postfix.yaml
+++ b/collections/crowdsecurity/postfix.yaml
@@ -3,6 +3,8 @@ parsers:
   - crowdsecurity/postscreen-logs
 scenarios:
   - crowdsecurity/postfix-spam
+  - crowdsecurity/postfix-relay-denied
+  - crowdsecurity/postfix-helo-rejected
 description: "postfix support : parser and spammer detection"
 author: crowdsecurity
 tags:
diff --git a/parsers/s01-parse/crowdsecurity/postfix-logs.yaml b/parsers/s01-parse/crowdsecurity/postfix-logs.yaml
index 09f5263d9b9..8c9297909c2 100644
--- a/parsers/s01-parse/crowdsecurity/postfix-logs.yaml
+++ b/parsers/s01-parse/crowdsecurity/postfix-logs.yaml
@@ -29,6 +29,9 @@ pattern_syntax:
   POSTFIX_COMMAND: '(AUTH|STARTTLS|CONNECT|EHLO|HELO|RCPT)'
   POSTFIX_ACTION: 'discard|dunno|filter|hold|ignore|info|prepend|redirect|replace|reject|warn'
   RELAY: '(?:%{HOSTNAME:remote_host}(?:\[%{IP:remote_addr}\](?::[0-9]+(.[0-9]+)?)?)?)'
+  SMTP_BASIC_STATUS_CODE: '[0-9]{3}' #250
+  SMTP_ENHANCED_STATUS_CODE: '[0-9.]+' #2.0.0
+  SMTP_RETURN_CODES: '%{SMTP_BASIC_STATUS_CODE:smtp_basic_status_code}( %{SMTP_ENHANCED_STATUS_CODE:smtp_enhanced_status_code})?' #250 2.0.0
 description: "Parse postfix logs"
 nodes:
   - grok:
@@ -45,10 +48,21 @@ nodes:
           value: spam-attempt
   - grok:
       apply_on: message
-      pattern: 'NOQUEUE: %{POSTFIX_ACTION:action}: %{DATA:command} from %{RELAY}: %{GREEDYDATA:reason}'
+      pattern: 'NOQUEUE: %{POSTFIX_ACTION:action}: %{DATA:command} from %{RELAY}: %{SMTP_RETURN_CODES:smtp_return_codes} %{GREEDYDATA:reason}'
       statics:
         - meta: action
-          expression: "evt.Parsed.action"        
+          expression: "evt.Parsed.action"
+    nodes:
+      ## We check if the reason is not a service unavailable if so we parser more information
+      - filter: "evt.Parsed.reason != 'Service unavailable'"
+        grok:
+          apply_on: reason
+          pattern: "<%{DATA:helo}>: %{GREEDYDATA:reason}; %{GREEDYDATA:kvItems}"
+        statics:
+          - parsed: unused
+            expression: ParseKV(evt.Parsed.kvItems, evt.Unmarshaled, "postfix")
+          - meta: reason
+            expression: "evt.Parsed.reason"
 statics:
     - meta: service
       value: postfix
diff --git a/scenarios/crowdsecurity/postfix-helo-rejected.md b/scenarios/crowdsecurity/postfix-helo-rejected.md
new file mode 100644
index 00000000000..5352ed2ebd2
--- /dev/null
+++ b/scenarios/crowdsecurity/postfix-helo-rejected.md
@@ -0,0 +1,5 @@
+### Postfix helo rejected
+
+Postfix helo rejected is a log message generated when a client sends a HELO or EHLO command that is rejected by the server. This can happen for a variety of reasons, such as the client using an invalid hostname or the server being configured to reject certain types of HELO commands.
+
+You can see the configuration for the restrictions placed on HELO commands within https://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
diff --git a/scenarios/crowdsecurity/postfix-helo-rejected.yaml b/scenarios/crowdsecurity/postfix-helo-rejected.yaml
new file mode 100644
index 00000000000..79749598563
--- /dev/null
+++ b/scenarios/crowdsecurity/postfix-helo-rejected.yaml
@@ -0,0 +1,22 @@
+# postfix helo rejected because it did not match postfix restrictions
+type: leaky
+name: crowdsecurity/postfix-helo-rejected
+description: "Detect HELO rejections"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.action == 'reject' && evt.Meta.reason startsWith 'Helo command rejected'"
+references:
+  - https://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
+groupby: evt.Meta.source_ip
+capacity: 1
+leakspeed: 600s
+blackhole: 1m
+reprocess: false
+labels:
+  service: postfix
+  remediation: true
+  confidence: 2
+  spoofable: 0
+  classification:
+  - attack.T1595
+  - attack.T1592
+  behavior: "smtp:spam"
+  label: "Postfix Helo Rejected"
diff --git a/scenarios/crowdsecurity/postfix-relay-denied.md b/scenarios/crowdsecurity/postfix-relay-denied.md
new file mode 100644
index 00000000000..580f75374d4
--- /dev/null
+++ b/scenarios/crowdsecurity/postfix-relay-denied.md
@@ -0,0 +1,5 @@
+### Postfix relay denied access
+
+Postfix relay denied access is a log message generated when a client tries to relay an email through the server without being authorized to do so. This can happen for a variety of reasons, such as the client not being authenticated or the server not being configured to allow relaying from the client's IP address.
+
+Many bots and spammers try to exploit open relays to send spam emails, so it's important to monitor for these types of events and take action to prevent unauthorized relaying.
diff --git a/scenarios/crowdsecurity/postfix-relay-denied.yaml b/scenarios/crowdsecurity/postfix-relay-denied.yaml
new file mode 100644
index 00000000000..30e76845bb2
--- /dev/null
+++ b/scenarios/crowdsecurity/postfix-relay-denied.yaml
@@ -0,0 +1,22 @@
+# postfix relay access denied
+type: leaky
+name: crowdsecurity/postfix-relay-denied
+description: "Detect multiple open relay attempts"
+filter: "evt.Meta.log_type == 'postfix' && evt.Meta.action == 'reject' && evt.Meta.reason == 'Relay access denied'"
+references:
+  - https://en.wikipedia.org/wiki/Open_mail_relay
+groupby: evt.Meta.source_ip
+capacity: 1
+leakspeed: 600s
+blackhole: 1m
+reprocess: false
+labels:
+  service: postfix
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+  - attack.T1595
+  - attack.T1190
+  behavior: "smtp:spam"
+  label: "Postfix Relay Denied"