Am 07.06.2014 09:59, schrieb Kai Krakow: > Hello list! > > Is there a way to prevent postfix from offering SASL auth (and that > includes > denying open relaying) to clients based on DNS RBL lookups? I've discovered > the option smtpd_sasl_exceptions_networks which allows to do that by adding > static subnet entries or adding a hash map. > > The idea goes like this: > > * SASL auth is not offered -> no way to relay mail > * based on a DNS-RBL that lists ASs with known bad behavior > * based on a DNS-RBL that lists IPs which are known to run compromised > servers > > I imagined a configuration like this: > > smtpd_sasl_exceptions_networks = > reject_rbl_client z.mailspike.net=127.0.0.2 > reject_rbl_client dnsbl-3.uceprotect.net > > Apart from this maybe being a bad idea, it would open the possibility to > react to distributed brute force attacks and compromised passwords if an > appropriate DNS BL could be offered by someone. > > Currently, I'd like to try out the idea but I'm not sure if the above > configuration accepts passing in DNS BLs. Any suggestions? > > What could be the consequences of this? I'm interested in reading more > ideas. Maybe there's already another approach to successfully prevent bots > from using compromised mail user accounts? > > > I outlined the same question here: > http://serverfault.com/questions/602327/postfix-offer-sasl-authentication-based-on-rbl >
bad idea, perhaps good idea if you have your own rbl to sync brute forcers ips to other servers perhaps you like or get inspired by this https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
