Block by dnsbl before auth

38 views
Skip to first unread message

Derek Roberts

unread,
Oct 5, 2021, 5:47:57 PM10/5/21
to
Hi
I (I guess like many other postfix users) am being targeted by a large botnet which is attempting to brute force the passwords of a handful of my mail users on port 465

I have geoblocked my server to restrict attempts to a small list of countries in which I have users, which helps, but I'm still seeing 100+ attacks from unique IP addresses each day. Since the addresses are unique, fail2ban can't help. All of the IPs being tried seem to be on the sbl or xbl lists of Spamhaus, so just being able to use this one RBL should be enough.

I have tried many config combinations (current listed below), but each time I see attempts being blocked at the SMTP auth stage in the mail log and then fail2ban kicks in and uselessly blocks another IP address which doesn't come back.

In each of the restriction blocks below, the RBL check is before the auth check, yet PAM AUTH failure (i.e. wrong password) is what stops the mail being submitted.

Given that my users are not on compromised machines, I would much rather have postfix just refuse to connect with compromised machines instead of leaving each machine in a botnet of potentially thousands of machines have a pop at cracking a user's password.

I had a look at postscreen, but that only listens to port 25. I have my own solution to the port 25 problem: another system pre-screens externally generated inbound mail.

Any ideas please?
DR

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_hostname

smtpd_client_restrictions =
permit_mynetworks
reject_rbl_client sbl-xbl.spamhaus.org
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
permit

smtpd_sender_restrictions =
reject_unknown_reverse_client_hostname
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unknown_sender_domain
reject_non_fqdn_sender
permit

smtpd_recipient_restrictions =
reject_invalid_hostname
reject_unknown_recipient_domain
reject_unauth_pipelining
permit_mynetworks
reject_rbl_client sbl-xbl.spamhaus.org
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_reverse_client_hostname
permit

smtpd_helo_required = yes


Bob Nichols

unread,
Nov 20, 2021, 10:16:30 AM11/20/21
to
On 2021-10-05 Tue 14:47:56 -0700, Derek Roberts wrote:
> In each of the restriction blocks below, the RBL check is before the auth check, yet PAM AUTH failure (i.e. wrong password) is what stops the mail being submitted.
If you want client restrictions to be processed before AUTH, you need
smtpd_delay_reject = no

For an explanation see:
<http://www.postfix.org/SMTPD_ACCESS_README.html#timing>

--
for e-mail remove .invalid
Reply all
Reply to author
Forward
0 new messages