Dear folks,
My logs are full of lines like this:
Feb 21 04:12:05 MYOLDMTA postfix/smtpd[12967]: warning: unknown[195.22.126.159]: SASL LOGIN authentication failed: authentication failure
This is a brute force attack in order to get a valid username/password pair.
The cracker usually does 20 attempts within a single SMTP session.
Thought fail2ban alerts the firewall after the third or fourth one but
network filtering applies to new connections only.
(I would not filter _all_ incoming packets until it is
absolutely necessary.)
So the attacker may try any number of password quite unobtrusively.
Is there any way to instruct smtpd to close session after 3 unsuccesful
attempts as is written in RFC 4954? I found no appropriate config parameter.
https://tools.ietf.org/html/rfc4954#section-9
Servers MAY implement a policy whereby the connection is dropped
after a number of failed authentication attempts. If they do so,
they SHOULD NOT drop the connection until at least 3 attempts to
authenticate have failed.
The affected Postfix version is 2.11.3, our old MTA.
The new one is not found yet by the bad guys.
Regards
Gabor