On 20/02/22 05:35, Bill Cole wrote:
We have listed all IPs. We can use a FW rule, but its heavy and hard to
manage. A Postfix list may be easier.
On Linux, using ipsets instead of putting IPs directly in rules helps
a lot with managing large lists. Fail2ban can do its work via ipsets.
An alternative to fail2ban and its workalikes is to more manually
identify where your legitimate authentication traffic comes from and
where it will never come from. Most of the IPs used for credential
stuffing attacks are not associated with any end users or processes
that would ever do any legitimate email submission anywhere, e.g. AWS
instances, Digital Ocean Droplets, etc. You can safely refuse all port
465 and 587 traffic from huge swathes of the IPv4 space, if you are
not a global mailbox provider.
Whether you use fail2ban or do manual one-by-one blocking or use your
logs to figure out broad boundaries between networks you'll allow to
try to submit mail and ones you will not, the better place to do this
is at the network layer, not Postfix. It is unlikely for a single
credential stuffer to overwhelm your system, but they can cause
resource problems in aggregate and that's much less likely if you're
not even bothering to do a TCP session initiation.
Geo-blocking is one strategy you might consider -- not just for
Submission (e.g. port 587/465), but also for IMAP (e.g. port 143/993).
There are sites which publish lists of IPv4 and IPv6 addresses for
individual countries. The one I use is:
https://www.ip2location.com/free/visitor-blocker
Just remember that it will also stop you being able to access/send
emails while on your overseas holiday! ;-)
Nick.
