On Wed, Aug 26, 2020 at 08:41:14PM +0200, Steffen Nurpmeso wrote:
> One more thing i could contribute, just in case you do not know
> about it. Christos Zoulas of NetBSD has written a blocklist (it
> was blacklist for quite some years, but it losts it colour), and
> patched the postfix (among others) that is in the NetBSD base
> system to reach out and call a hook when an authentification
> failure happens.
>
> You know, i always could not understand why people use expensive
> logfile parsers to reach out for state that the server(s) had once
> they made their decision, which resulted in the logfile entry.
> That is just grazy. Take this for example
>
> Aug 26 20:27:09 postfix/smtpd[12169]: connect from unknown[185.234.218.85]
> Aug 26 20:27:10 postfix/smtpd[12169]: too many errors after AUTH from
> unknown[185.234.218.85]
> Aug 26 20:27:10 postfix/smtpd[12169]: disconnect from
> unknown[185.234.218.85] ehlo=1 auth=0/1 commands=1/2
> Aug 26 20:28:25 postfix/smtpd[12169]: connect from unknown[185.234.218.82]
> Aug 26 20:28:26 postfix/smtpd[12169]: too many errors after AUTH from
> unknown[185.234.218.82]
> Aug 26 20:28:26 postfix/smtpd[12169]: disconnect from
> unknown[185.234.218.82] ehlo=1 auth=0/1 commands=1/2
> Aug 26 20:28:46 postfix/smtpd[12169]: connect from unknown[185.234.219.228]
> Aug 26 20:28:47 postfix/smtpd[12169]: too many errors after AUTH from
> unknown[185.234.219.228]
> Aug 26 20:28:47 postfix/smtpd[12169]: disconnect from
> unknown[185.234.219.228] ehlo=1 auth=0/1 commands=1/2
>
> Thanks to the error limits (which are _so_ great, and helped me
> stopping an attack i once had to face while temporarily, for half
> a day, using a different SMTP server than postfix) this does not
> hurt that much, and of course the firewall steps in if it is too
> heavy.
>
> But what the blocklist(d) does is to reach out in case of
> authentification failed events (unfortunately not for nonsense
> connections which do nothing, repeatedly, for example), so that
> a script can be invoked which establishes a firewall rule.
>
> It would be great if a hook could be called for such events. Even
> a simple fork+detach+exec+forget approach would be really great,
> with an event indicator and an IP address as an argument.
Ideally this would be done with a milter, milters see most SMTP commands
from clients, but there's no milter support for SASL AUTH commands, and
IIRC milters don't see the ultimate server replies.
So bottom line, milters don't that SASL auth took place, and wouldn't
know whether these failed or not. This is unfortunate.
Plugging ad-hoc hooks into Postfix is not particularly attractive, even
when otherwise well motivated. If, I am right in concluding that
milters aren't quite up to the task, it would be great if there were a
more general framework that can accomodate milters as a special case,
but might allow additional inspection of AUTH, STARTTLS, and any other
commands not supported by milters and also handle server replies so
that the plugin could collect information command failure, and not
just intercede to block some commands.
--
Viktor.
