On 6/7/2014 8:33 AM, Kai Krakow wrote: > Wietse Venema <wie...@porcupine.org> schrieb: > >> Kai Krakow: >>> Hello list! >>> >>> Is there a way to prevent postfix from offering SASL auth (and >>> that includes denying open relaying) to clients based on DNS RBL >>> lookups? I've discovered the option smtpd_sasl_exceptions_networks >>> which allows to do that by adding static subnet entries or adding >>> a hash map. >> >> In theory, one could configure the smtpd_sasl_exceptions_networks >> feature to query a daemon that replies "not found" when the client >> IP address is blacklisted. >> >> smtpd_sasl_exceptions_networks = tcp:host:port >> smtpd_sasl_exceptions_networks = socketmap:inet:host:port:name >> smtpd_sasl_exceptions_networks = memcache:/file/name >> >> In practice, almost no-one will do that. But, this would do what >> you asked for and more. >> >> Alternatively, you could update the smtpd_sasl_exceptions_networks >> lookup table with fail2ban after Postfix logs some number of login >> failures from a client IP address. > > I think I'd go that route. But from watching my log we don't have a problem > with clients brute forcing on postfix SASL but with compromised servers > (those which everyone can rent for a few bucks per month and nobody applies > security patches to) using the right (hijacked) crediantials right from the > beginning.
I wonder why you're just trying to stop SASL from those client... Why not just use reject_rbl_client (and maybe other restrictions) before permit_sasl_authenticated to reject all mail from them? If you're unwilling to accept SASL credentials, why would you accept anything? -- Noel Jones
