On 15.10.24 16:03, Paul Fowler via Postfix-users wrote:
Are there best practices for avoid OS username enumeration on a mail relay?
Or is it something that maybe I've misconfigured?
E.g. the nmap smtp-enum-users script shows some default users.
Host is up (0.13s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
|_ admin
I have this parameter set "disable_vrfy_command = yes"
I have the default parameter "local_recipient_maps =
proxy:unix:passwd.byname $alias_maps"
I have tested this parameter by removing the values, but it did not seem to
make a difference.
perhaps a combination of smtpd_soft_error_limit, smtpd_hard_error_limit,
smtpd_error_sleep_time together with fail2ban
http://www.postfix.org/postconf.5.html#smtpd_soft_error_limit
http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit
http://www.postfix.org/postconf.5.html#smtpd_error_sleep_time
Note that this is ineffective against distributed attacks.
Well, perhaps fail2ban can match networks like /24
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
