I (I guess like many other postfix users) am being targeted by a large botnet which is attempting to brute force the passwords of a handful of my mail users on port 465
I have geoblocked my server to restrict attempts to a small list of countries in which I have users, which helps, but I'm still seeing 100+ attacks from unique IP addresses each day. Since the addresses are unique, fail2ban can't help. All of the IPs being tried seem to be on the sbl or xbl lists of Spamhaus, so just being able to use this one RBL should be enough.
I have tried many config combinations (current listed below), but each time I see attempts being blocked at the SMTP auth stage in the mail log and then fail2ban kicks in and uselessly blocks another IP address which doesn't come back.
In each of the restriction blocks below, the RBL check is before the auth check, yet PAM AUTH failure (i.e. wrong password) is what stops the mail being submitted.
Given that my users are not on compromised machines, I would much rather have postfix just refuse to connect with compromised machines instead of leaving each machine in a botnet of potentially thousands of machines have a pop at cracking a user's password.
I had a look at postscreen, but that only listens to port 25. I have my own solution to the port 25 problem: another system pre-screens externally generated inbound mail.
Any ideas please?
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_helo_required = yes