On Fri, 12 Aug 2022 at 19:00, Jaroslaw Rafa <r...@rafa.eu.org> wrote: > > Hello, > as my submission services experience a lot of AUTH attacks recently, I want > to temporarily block access to them from IP addresses other than those from > where users are expected to send mail. > > 1) I created a file specifying allowed addresses, it looks like the following: > > 127.0.0.0/8 DUNNO > ::1 DUNNO > x.x.x.x/n DUNNO > ... > ... (more lines like above) > ... > 0.0.0.0/0 REJECT > ::/0 REJECT > > The allowed IP ranges are listed with "DUNNO", and then there's 0.0.0.0/0 > catchall with "REJECT". > > 2) I added the following to my main.cf: > > temp_client_block=check_client_access cidr:/etc/postfix/temp_client_access > > (/etc/postfix/temp_client_access is the above file). > > 3) In my master.cf, I changed in both "submission" and "smtps" entries the > line > > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > to > > -o > smtpd_client_restrictions=$temp_client_block,permit_sasl_authenticated,reject > > and did "service postfix reload". > > However, I still find in my mail.log the entries like: > > Aug 12 12:31:08 rafa postfix/smtps/smtpd[25866]: connect from > unknown[1.221.23.26] > Aug 12 12:31:09 rafa postfix/smtps/smtpd[25866]: Anonymous TLS connection > established from unknown[1.221.23.26]: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Aug 12 12:31:16 rafa dovecot: auth-worker(25873): > pam(r...@rafa.eu.org,1.221.23.26): pam_authenticate() failed: Authentication > failure (password mismatch?) > Aug 12 12:31:18 rafa postfix/smtps/smtpd[25866]: warning: > unknown[1.221.23.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > Aug 12 12:31:19 rafa postfix/smtps/smtpd[25866]: lost connection after AUTH > from unknown[1.221.23.26] > Aug 12 12:31:19 rafa postfix/smtps/smtpd[25866]: disconnect from > unknown[1.221.23.26] > > It looks the same as before I did the change, so I understand the client still > tries to authenticate and disconnects after a failed AUTH. However, > 1.221.23.26 is definitely not on my allowed addresses list in file created > in point 1), so shouldn't the connection be outright rejected without > attempting AUTH at all? > > What am I doing wrong? > -- > Regards, > Jaroslaw Rafa > r...@rafa.eu.org > -- > "In a million years, when kids go to school, they're gonna know: once there > was a Hushpuppy, and she lived with her daddy in the Bathtub."
Did you try fail2ban. It is very good. Rgds/DP
