the haproxy health checks produced the postfix/anvil logs. After adding the haproxy IP to the "smtpd_client_event_limit_exeptions" the postfix/anvil logs showed correctly the originating IP of the brute force attacks.
smtpd_client_event_limit_exceptions = $mynetworks $haproxy On 05/01/2017 05:43 PM, plataleas wrote: > > Hi all > > We have submission enabled behind an haproxy. The setup works like a > charm: > > /smtp01#cat /etc/postfix/master.cf// > //...// > //submission inet n - - - - smtpd// > // -o syslog_name=postfix/submission// > // -o content_filter=smtp:[127.0.0.1]:10024// > // -o smtpd_tls_security_level=may// > // -o smtpd_sasl_auth_enable=yes// > // -o smtpd_upstream_proxy_protocol=haproxy// > // -o > smtpd_sender_restrictions=permit_sasl_authenticated,reject_unauth_destination// > //..// > // > haproxy01#cat /etc/haproxy/haproxy.cfg > / > > /frontend frontend_smtp.example.com-587// > // bind x.x.x.x:587 # listening ip removed// > // mode tcp// > // default_backend backend_smtp.example.com-587// > //backend backend_smtp.example.com-587// > // mode tcp// > // balance source// > // server smtp01.example.com smtp01.example.com:587 check send-proxy// > // server smtp02.example.com smtp02.example.com:587 check send-proxy/ > > / > smtp01 # postconf | grep mail_version// > //mail_version = 2.11.3// > haproxy01 # haproxy -v// > HA-Proxy version 1.5.8 2014/10/31/ > > From the Postfix logs we see brute force attacks (173.220.99.186 is > the client IP, not the haproxy IP) : > > > /smtp01# grep 'authentication failed' /var/log/mail.log/ > > /May 1 16:10:55 smtp01 postfix/submission/smtpd[21376]: warning: > ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN > authentication failed: authentication failure// > //May 1 16:10:55 smtp01 postfix/submission/smtpd[20989]: warning: > ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN > authentication failed: authentication failure// > //May 1 16:10:56 smtp01 postfix/submission/smtpd[21376]: warning: > ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN > authentication failed: authentication failure// > //May 1 16:10:57 smtp01 postfix/submission/smtpd[20989]: warning: > ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN > authentication failed: authentication failure// > //May 1 16:10:58 smtp01 postfix/submission/smtpd[21376]: warning: > ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN > authentication failed: authentication failure// > //May 1 16:10:59 smtp01 postfix/submission/smtpd[20989]: warning: > ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN > authentication failed: authentication failure/ > > > We would like to implement rate limiting. However the anvil logs > (anvil is used for rate limiting) are showing the haproxy IP instead > of the client IP (in this example 173.220.99.186): > > /smtp01# grep anvil /var/log/mail.log > > //May 1 16:11:01 smtp01 postfix/anvil[23221]: statistics: max cache > size 12 at May 1 16:01:05 > May 1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max > connection rate 62/60s for (submission:*a.b.c.d*) at May 1 16:11:20 > May 1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max > connection count 2 for (submission:*a.b.c.d*) at May 1 16:11:01 > May 1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max cache > size 13 at May 1 16:11:44/ > > *a.b.c.d:* is against our expectations the haproxy IP. > -> we would expect that a.b.c.d is the SASL Login source client (in > this example 173.220.99.186) > > Did we miss something? Thanks a lot! > > plataleas > >
