On Sun, 3 Nov 2019, John Schmerold wrote:
On 11/2/2019 9:42 PM, Wietse Venema wrote:John Schmerold:What is the best way to protect against dictionary attacks in Postfix?Reportedly, fail2ban (no first-hand experience, because I have no SASL clients).WietseI am using Postfix as a filter in front of O365/cpanel/Google apps, we are seeing a few dictionary attacks, I will experiment with fail2ban.One site (Mergy.org), recommends adding this to /etc/fail2ban/filters.d/postfix: ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4.1.1 .* Recipient address rejected: unverified address: unknown user:.*$We'll see how it goes.
fail2ban includes (at least in debian buster) a suitable rule in postfix-sasl.conf, viz.:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]
*={0,2})?\s*$
(all in one line).
It works fine to block random bots trying to authenticate as a user
(whether the user exists or not).
