Aways take advice from me with great caution since I'm new at this, but I use 587 as well and then firewall filter the hell out of 587 and all the email ports other than 25. In the case of this attack, the offender is a "commercial" server based on ip2location.com, so I would block their entire IP space using the Hurricane Electric tools from all but Web and port 25.
Having a VPS just for myself and not being a world traveller, I have blocked most countries from all but Web and 25. I have a script that pulls auth failures from the log and I investigate them as well. If not from any service I expect to use in the future, I block that IP space as well. Current the University of Michigan is my latest dictionary attacker, and now just gets the firewall treatment. Obviously if your email server handles a number of users, geographical restrictions aren't the easiest to implement. I implemented the anvil tweaks based on a thread about two months ago and they work well. This dictionary attacking has got to be a fools errand, so their don't seem to be many offenders. I find I can go for two or three days between such attacks. Original Message From: John Fawcett Sent: Tuesday, January 3, 2017 6:46 AM To: postfix-users@postfix.org Subject: Re: Rate-limiting access to postfix on the firewall, what are decent numbers (depending on overall traffic)? On 01/03/2017 01:37 PM, Gerben Wierda wrote: > My postfix MTA has been under a lot of DOS-like attention. Such as a botnet > sending many EHLO-requests, then password attempts: > ... > It does the first part from a multitude of machines. > > I want to stop this by setting a rate limiting rule in my firewall. I was > wondering what rate to set if I want to limit access by the same IP. The > first pattern, I could stop by rate-limiting to maximally 3 per second or 180 > per minute. That is already pretty high. What MTA is going to send me 180 per > minute and still be legit? > > So, because I do not want to lose valid stuff (though there is a backup mail > server), I was wondering what a good rate limiting is to prevent these kinds > of attacks. > > G As well as the other advice given in the thread about tuning postfix rate limiting, you might want to look into using postscreen with some blocklists. Those will stop some of the traffic getting through to smtpd. You can use this is conjunction with fail2ban to then block those ips at the firewall if they keep connecting. Fail2ban is also useful against repeated auth errors. Moving auth from port 25 to 587 will also reduce the risks a bit. John
