Re: [mailop] too many bad IP blocked

[Viktor Dukhovni via mailop]

On Fri, Jun 21, 2024 at 07:20:17AM +0800, Jeff Pang via mailop wrote:

> It seems the black ips are coming endlessly.  Most of the bad actions
> are like this one:
> 
>  postfix/smtps/smtpd[451948]: warning: unknown[211.184.190.87]: SASL LOGIN
> authentication failed: UGFzc3dvcmQ6
> 
> I am afraid too many iptables will slow down the performance of systems.
> do you have any suggestion for handling this case?

I make little effort to stop them.  Any cycles they're wasting looking
for weak SASL creds on my server are not spent attacking potentially
vulnerable other systems.

That said, it seemed reasonable to implement a recent suggestion from
the Postfix list and block XBL-listed IPs from connecting to my
submission services.  This had a rather noticeable effect on the rate of
failed SASL probes.  The suggested XBL check was added on May 27th, and
recent counts of failed SASL probes per day were as follows:

   1814 May 11
    543 May 12
    396 May 13
    391 May 14
   7722 May 15
    346 May 16
   2136 May 17
   1103 May 18
    249 May 19
     57 May 20
   1250 May 21
   2438 May 22
    164 May 23
    326 May 24
   1772 May 25
    585 May 26
    320 May 27
      5 May 28
      2 May 30
      1 Jun 06
      1 Jun 07
      1 Jun 10
      8 Jun 11
      7 Jun 12
      6 Jun 13
      1 Jun 15
      1 Jun 16
     24 Jun 17
      9 Jun 18
      1 Jun 19

My master.cf entries for submission:

    master.cf:
        465        inet  n       -       n       -       -       smtpd
            -o smtpd_delay_reject=no
            -o { smtpd_client_restrictions = reject_rbl_client 
zen.spamhaus.org=127.0.0.4 }
            -o syslog_name=postfix/smtps
            -o smtpd_tls_wrappermode=yes
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
            -o smtpd_recipient_restrictions=
            -o smtpd_data_restrictions=
            -o smtpd_end_of_data_restrictions=
            -o milter_macro_daemon_name=ORIGINATING
            -o smtpd_milters=$mua_milters
            -o always_add_missing_headers=yes
            -o header_checks=$submit_header_checks
            -o body_checks=
        submission inet  n       -       n       -       -       smtpd
            -o smtpd_delay_reject=no
            -o { smtpd_client_restrictions = reject_rbl_client 
zen.spamhaus.org=127.0.0.4 }
            -o syslog_name=postfix/submission
            -o smtpd_sasl_auth_enable=yes
            -o smtpd_tls_security_level=encrypt
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
            -o smtpd_recipient_restrictions=
            -o smtpd_data_restrictions=
            -o smtpd_end_of_data_restrictions=
            -o smtpd_tls_ask_ccert=yes
            -o milter_macro_daemon_name=ORIGINATING
            -o smtpd_milters=$mua_milters
            -o always_add_missing_headers=yes
            -o header_checks=$submit_header_checks
            -o body_checks=

-- 
    Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop