On Tue, Sep 20, 2016 at 12:03:37PM +0200, felderm wrote: > Hi All > > We operate multiple Postfix instances behind HA-Proxies. The haproxy > upstream protocol is enabled: > > smtpd_upstream_proxy_protocol=haproxy > (the IPs of the HA-proxies are in mynetworks) > > There are brute-force attacks agains the SMTP servers (auth Backend is > OpenLDAP). We would like to block these clients and have found the > following settings: > > smtpd_client_connection_rate_limit > smtpd_error_sleep_time > smtpd_soft_error_limit > smtpd_hard_error_limit > > We experienced that these settings do not work behind HA-Proxies. Did we > missed a configuration settings? Did someone implement brute-force > restrictions behind HA-Proxies? If possible we would like to avoid > fail2ban or other tools on the HA-Proxies. > > Your Feedback is highly appreciated! > Thanks > Felder
Have you considered implementing simple rate limiting at the firewall level? Something like this, for example: https://www.mnxsolutions.com/quick-tip/rate-limiting-connections-with-iptables.html --Sean
