Derek Roberts
2021-10-05 21:47:56 UTC
Hi
I (I guess like many other postfix users) am being targeted by a large botnet which is attempting to brute force the passwords of a handful of my mail users on port 465
I have geoblocked my server to restrict attempts to a small list of countries in which I have users, which helps, but I'm still seeing 100+ attacks from unique IP addresses each day. Since the addresses are unique, fail2ban can't help. All of the IPs being tried seem to be on the sbl or xbl lists of Spamhaus, so just being able to use this one RBL should be enough.
I have tried many config combinations (current listed below), but each time I see attempts being blocked at the SMTP auth stage in the mail log and then fail2ban kicks in and uselessly blocks another IP address which doesn't come back.
In each of the restriction blocks below, the RBL check is before the auth check, yet PAM AUTH failure (i.e. wrong password) is what stops the mail being submitted.
Given that my users are not on compromised machines, I would much rather have postfix just refuse to connect with compromised machines instead of leaving each machine in a botnet of potentially thousands of machines have a pop at cracking a user's password.
I had a look at postscreen, but that only listens to port 25. I have my own solution to the port 25 problem: another system pre-screens externally generated inbound mail.
Any ideas please?
DR
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_hostname
smtpd_client_restrictions =
permit_mynetworks
reject_rbl_client sbl-xbl.spamhaus.org
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
permit
smtpd_sender_restrictions =
reject_unknown_reverse_client_hostname
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unknown_sender_domain
reject_non_fqdn_sender
permit
smtpd_recipient_restrictions =
reject_invalid_hostname
reject_unknown_recipient_domain
reject_unauth_pipelining
permit_mynetworks
reject_rbl_client sbl-xbl.spamhaus.org
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_reverse_client_hostname
permit
smtpd_helo_required = yes
I (I guess like many other postfix users) am being targeted by a large botnet which is attempting to brute force the passwords of a handful of my mail users on port 465
I have geoblocked my server to restrict attempts to a small list of countries in which I have users, which helps, but I'm still seeing 100+ attacks from unique IP addresses each day. Since the addresses are unique, fail2ban can't help. All of the IPs being tried seem to be on the sbl or xbl lists of Spamhaus, so just being able to use this one RBL should be enough.
I have tried many config combinations (current listed below), but each time I see attempts being blocked at the SMTP auth stage in the mail log and then fail2ban kicks in and uselessly blocks another IP address which doesn't come back.
In each of the restriction blocks below, the RBL check is before the auth check, yet PAM AUTH failure (i.e. wrong password) is what stops the mail being submitted.
Given that my users are not on compromised machines, I would much rather have postfix just refuse to connect with compromised machines instead of leaving each machine in a botnet of potentially thousands of machines have a pop at cracking a user's password.
I had a look at postscreen, but that only listens to port 25. I have my own solution to the port 25 problem: another system pre-screens externally generated inbound mail.
Any ideas please?
DR
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_hostname
smtpd_client_restrictions =
permit_mynetworks
reject_rbl_client sbl-xbl.spamhaus.org
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
permit
smtpd_sender_restrictions =
reject_unknown_reverse_client_hostname
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unknown_sender_domain
reject_non_fqdn_sender
permit
smtpd_recipient_restrictions =
reject_invalid_hostname
reject_unknown_recipient_domain
reject_unauth_pipelining
permit_mynetworks
reject_rbl_client sbl-xbl.spamhaus.org
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_reverse_client_hostname
permit
smtpd_helo_required = yes