Hello list,
Our external pen testers are performing a specific type of scan on our
email servers, and it's generating a bit of spam. I'm trying to find a way
to block these messages, while still allowing the team to scan (meaning, I
can't just use iptables and block them). I have the following settings in
place:
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_path = sasl2/smtpd.conf
smtpd_sasl_security_options = noanonymous
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparams.pem
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtp_generic_maps = hash:/etc/postfix/generic
Here is the log entry of the scanner sending its "ping" scan:
Nov 17 05:09:02 testserver postfix/smtpd[5764]: connect from
unknown[10.10.10.10]
Nov 17 05:09:02 testserver postfix/smtpd[5764]: warning:
network_biopair_interop: error reading 5 bytes from the network: Connection
reset by peer
Nov 17 05:09:02 testserver postfix/smtpd[5764]: SSL_accept error from
unknown[10.10.10.10]: -1
Nov 17 05:09:02 testserver postfix/smtpd[5764]: lost connection after
STARTTLS from unknown[10.10.10.10]
Nov 17 05:09:02 testserver postfix/smtpd[5764]: disconnect from
unknown[10.10.10.10]
Nov 17 05:09:02 testserver postfix/cleanup[5766]: 9993E40397: message-id=()
{ :;}; ping -p 074f5a50596c656c794f5a -c 3 scan02
Nov 17 05:09:02 testserver postfix/local[5767]: 817C0402AC: to=<
nob...@testserver.com>,
orig_to=<nobody>, relay=local, delay=0.14, delays=0.07/0.06/0/0.01,
dsn=2.0.0, status=sent (forwarded as 9993E40397)
>From there, it goes to "nobody" which goes to "root" who has a .forward to
send it to the internal group. I've contacted our external pen testers, and
they tell me it's just a "normal Nessus smtp scan, which tries to send
commands". I've tried to configure the reject_unauth_destination and
permit_sasl_authenticated for both smtpd_relay_restrictions and
smtpd_recipient_restrictions, but the cleanup appears to still be taking
over, and converting this into a legit email bound for nobody.
Any suggestions on how to completely drop these types messages?
Thanks,
-DB
