Re: [Fail2ban-users] Postfix: running a script on authentication failure

Sun, 25 Jun 2023 14:18:38 -0700 


On 25/06/2023 20:35, Tim Boneko via Fail2ban-users wrote:

Am Donnerstag, dem 22.06.2023 um 16:27 +0100 schrieb Nick Howitt via
Fail2ban-users:

Don't allow authentication on 25!

I second that. Port 25 is without encryption, so i don't offer auth
there - only on 587.
Apart from that, stolen passwords were tried for login via port 587.
This is reduced quite a bit by

        smtpd_sender_restrictions =
        [...}
         reject_unknown_sender_domain,
         reject_unknown_reverse_client_hostname,
         reject_unknown_client_hostname

which refuses connections from addresses without DNS setup. This
blocks people who run their own smtp server, but don't bother to setup
a dyndns hostname at least. I can do without them. Most of the live in
asia where i hardly know anybody...

Cheers,

        tim


I'd be careful with those restrictions. reject_unknown_sender_domain is 
OK. reject_unknown_reverse_client_hostname is a waste of effort if you 
have reject_unknown_client_hostname. Have a look at 
https://www.postfix.org/postconf.5.html#reject_unknown_client_hostname 
and the entry after it. I'd also be careful of 
reject_unknown_client_hostname as there is no requirement for the 
forward and reverse DNS to match and it is difficult if the sender sends 
from multiple IP's. I would prefer 
reject_unknown_reverse_client_hostname over reject_unknown_client_hostname.



You can test and setting by prefixing it with "warn_if_reject ", so 
"warn_if_reject reject_unknown_reverse_client_hostname" and you get a 
message in the logs but no block. If you get confident of the messages, 
then you can make the block permanent. Personally I just use:


            reject_non_fqdn_sender,
            reject_invalid_hostname

But I also have:

   smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_invalid_hostname,
        reject_unauth_pipelining,
        reject_unknown_recipient_domain

Nick
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to