On 20 Sep 2019, at 17:12, Daniel Miller wrote:
I'm seeing some higher levels of attempted logins from various sources. Are there any automated filters that are suggested?
The Spamhaus SBL and XBL are safe for use on submission ports, as is the Surriel 'PSBL.' It's possible for innocent infectees to get listed on those DNSBLs or to coincidentally get a dynamic IP formerly held by an infected device, but that is a manageable problem. Fail2ban is also useful against credential-stuffer attacks.
Or do I simply add a check_client_a_access and reference a manually maintained blacklist?
If you do use a manual local blacklist for this (as I do on my personal system) it is most useful to apply it at the network level: either in your router/firewall or in a host-local packet filter (e.g. iptables, ipfw, etc) because rejecting auth attempts at the application level is relatively heavy compared to dropping SYNs. If your user population is relatively small and homogeneous (e.g. a family or small business mail system) you can block *almost* all of the Internet from port 587 and 465 with no damage. Even if you need to support "road warrior" users who might log in from anywhere in the world, there are still some very large networks that host lots of credential-stuffers and no legitimate mail submission or IMAP users than can be blocked safely to good effect: AWS, Azure, GCP, Digital Ocean, etc.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
