Sorry for following up on my own post, but I want to correct the record.
Please disregard my previous email. I realize now I made a blunder
during the analysis, since I was working on two similar questions one
unrelated to postfix and I mixed up the data sets without realizing it.
Sorry for the noise.
What I should have posted is that for postfix and xbl for submission
service, if I take last 30 days of data, xbl blocked 100% of probes 24
out of 30 days. When probes do get through they tend to do quite a few
attempts at authenticating, often from the same ip address, so adding
fail2ban on top has the potential (in my case) to bring the blocking to
near 100%. The probes that get through generally seem low risk since
they mainly but not always are for random and inexistent users.
One thing to bear in mind is that the number of probes explicitly
blocked by xbl as evidenced by the logs may be lower than the number of
probes being avoided by using it. This would be the case if the probe
scripts have an adaptive behaviour, increasing the probes where they
start getting real responses to AUTH and backing off if they get
disconnected before AUTH.
John
On 29/05/2024 17:46, John Fawcett via Postfix-users wrote:
On 29/05/2024 14:07, Viktor Dukhovni via Postfix-users wrote:
On Wed, May 29, 2024 at 07:26:10AM -0400, John Hill via Postfix-users wrote:
The wrapper-mode TLS "smtps" rejects are naturally after the TLS
handshake.
465 inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
All set up this way.
I will let it run overnight and see what hits.
Works like a charm.
1 SASL authentication failed ---
Only one.
Perhaps a bit of luck? For me, the XBL only catches around 10% of the
SASL probes. May your luck hold up.
The majority of the probes I see that are not stopped by XBL are
relatively harmless and don't get to try the AUTH command. They mainly
come from ips that repeat in a short space of time (where potentially
fail2ban could be used) and
* fail in the starttls for protocol or cipher issues
* disconnect without issuing starttls so never get to the AUTH command
* try issuing AUTH without starttls so get disconnected for too many
invalid commands
The cases I have where AUTH has been tried and failed are relatively
few. They mainly come from fast varying ips so fail2ban is not that
useful unless I want to start banning based on a single probe. They
usually appear to target specific existing users.
John
_______________________________________________
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
