Thanks for all the input @Matus I’ll look into using fail2ban in this way @Serhi, delaying the rejection of invalid RCPT TO, do you know how I can accomplish that? @Bill, thanks, the parameter “smtpd_reject_unlisted_sender” works successfully for local users
On Tue 15 Oct 2024 at 18:48, Bill Cole via Postfix-users < postfix-users@postfix.org> wrote: > On 2024-10-15 at 13:02:02 UTC-0400 (Tue, 15 Oct 2024 17:02:02 +0000) > Serhii via Postfix-users <li...@at.encryp.ch> > is rumored to have said: > > On 10/15/24 16:52, Bill Cole via Postfix-users wrote: > > Unless you've intentionally enabled EXPN in your config, you probably have > not done anything really wrong but not all defaults are ideal. There are > some non-defaults which will break SOME enumeration attempts: > > main.cf: > > smtpd_reject_unlisted_sender = yes > disable_vrfy_command = yes > > What version of nmap do you have? > > 7.95. At the top of that script it says: > > Attempts to enumerate the users on a SMTP server by issuing the VRFY, EXPN > or RCPT TO > commands. The goal of this script is to discover all the user accounts in > the remote > system. > > It also shows its last change as 2011-06-03, so it's not exactly in active > development. > > In my case nmap used RCPT TO for checking recipients, so disabling VRFY is > of no help: > > Oct 15 16:44:25 cheems postfix/smtpd[1051067]: disconnect from > x.x.x.x[x.x.x.x]:46118 ehlo=1 mail=1 rcpt=10 quit=1 commands=13 > > As for smtpd_reject_unlisted_sender, it won't help for address that is not > in local, virtual or relay address class: > https://www.postfix.org/ADDRESS_CLASS_README.html#classes > > Exactly. It breaks the MAIL command, because that enumeration script needs > to use something as a sender address. It uses usertest@[host], an > invented address which won't be rejected unless you have > smtpd_reject_unlisted_sender (or reject_unlisted_sender in a restriction > list) OR happen to have a user named usertest. > > So I get the test showing up in the summary log lines like this: > > Oct 15 12:36:37 shiny postfix/submit/smtpd[4882]: disconnect from > HOST[IP.AD.DR.ESS] ehlo=1 mail=0/1 commands=1/2 > Oct 15 12:36:50 shiny postfix/smtpd[4886]: disconnect from > HOST[IP.AD.DR.ESS] ehlo=1 mail=1/2 rcpt=0/1 vrfy=0/1 unknown=0/2 > commands=2/7 > Oct 15 12:36:50 shiny postfix/smtps/smtpd[4884]: disconnect from > HOST[IP.AD.DR.ESS] ehlo=1 mail=1/2 rcpt=0/1 vrfy=0/1 unknown=0/2 > commands=2/7 > > Note that the usernames.lst file which nmap uses by default only has 10 > usernames, so by default a run where every RCPT is sent and fails is not > much of a burden. However, an actual malicious enumerator will have a much > longer list, so if you let them get to RCPT they may be connected for much > longer. > > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org >
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
