Ok, I already started a discussion with ISP and they obviously have no idea what they doing. However, they did not provide any effort to fix this setup. I'm still waiting. May be it is the time to find a proper ISP and replace with it.
2018-01-31 17:00 GMT+03:00 Bill Cole < postfixlists-070...@billmail.scconsult.com>: > On 30 Jan 2018, at 6:07 (-0500), jin&hitman&Barracuda wrote: > > Yes I saw connections coming >> from 172.27.203.20 and it was me. >> I believe this setup is not fit mail servers. >> > > Absolutely true. 3 widespread ISP tactics that make a network unfit for an > Internet-facing MTA: > > 1. DNS hijacking > 2. Firewall or router-based (usually Cisco ASA/PIX) mangling of SMTP > 3. Source NAT for inbound traffic > > All 3 are often presented as part of "network security" packages but they > are each lethal for a mail server. > > Becouse I prefer to use >> fail2ban for brute force attacks and fail2ban depends source IP address. >> In this setup I can't see source IP. Also I'll use iptables as a permanent >> filter for some IPv4 blocks (like china). >> >> >> Can anyone tell me that this setup has any benefit ? >> > > No. > > Inbound source NAT is the most widespread network tactic that I know of > which has no discernible benefit to the downstream user directly or > indirectly. As far as I can tell, it is entirely a side effect of network > gear manufacturers and network operators being lazy in implementation. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Currently Seeking Steady Work: https://linkedin.com/in/billcole > -- *There is no place like "/home"* *From HemiB A R R A C U D A !*
