On Mon, Mar 15, 2021 at 09:07:43AM -0700, Stephen Satchell wrote:
> Problem: someone is probing my Ubuntu 20.04 LTS based mail server.
> Along with SSH attacks (now mitigated) I had a number of log messages
> saying auth failures in Dovecot. When I traced packets generating these
> messages, I found that the packets were being directed to 25/tcp -- Postfix.
This is expected.
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_path = private/auth
> > smtpd_sasl_type = dovecot
You've enabled SASL with dovecot as a backend. You could limit this to
port 587 (enable SASL via master.cf only for the submission service),
and require TLS there. It'll probably still get probed. That's life
on the public Internet.
If you turn on DNSSEC and DANE, one of the SMTP probes (about one per
day) will even come from my DANE survey bot:
https://stats.dnssec-tools.org/
https://stats.dnssec-tools.org/about.html
but it only connects to port 25, and only for MX hosts with DANE TLSA
records.
--
Viktor.
