On 03.04.19 14:14, James Brown wrote:
Thanks all for your replies. Increasing both Ban time and Find time are good
and I’ll do that. Looking through the logs I can see some repeated IPs for IMAP
failures, but over long times (eg maybe once or twice a day max).
We have Stunnel receive the traffic on port 465 and 587 and forward on to
127.0.0.1 on port 25.
time to change this.
1. different ports are for different access rules, ports 465 and 587 should
NOT accept unauthenticated mail.
2. port 587 is plaintest, should be required STARTTLS, afaik stunnel does
not support this
3. postfix can do those much better than stunnel.
So that is why I can’t write a Fail2ban rule for
this log line:
auth-worker(42777): Info: sql(cont...@com.au
<mailto:cont...@com.au>,127.0.0.1): unknown user (given password: Password123)
as it would ban localhost, not the original IP that Stunnel received.
4. postfix would not try to ban localhost.
just remove that stunnel.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
