Dnia 14.08.2022 o godz. 18:40:11 tog...@dinamizm.com pisze: > for submission I have this in the smtpd_client_restrictions settings of > master.cf > > reject_rbl_client auth.spamrats.com=127.0.0.39
I have put this into my Postfix config a few hours after you did send your mail. Until now, I found the following statistics from my logs: - There were total 45 different IP addresses that tried to access my smtps or submission service (I noticed that since I started rejecting access to these services, the number of connections decreased) - Out of these 45, 3 IP addresses did repeat and were caught by fail2ban. Two of them did repeat so many times that I firewalled them permanently manually. - Out of these 45, only 5 were caught by spamrats service (none of those 3 repeating ones were among them). I didn't try the two other lists as they require setting up an account, and I doubt the results will be much better. There's however one thing interesting: while I see some number of SMTP AUTH attempts, I see basically *no* attempts to login to IMAP. This brought me to an idea of reviving the old "POP before SMTP" authorization concept that has been used before SMTP AUTH has been widely deployed. Only this time it would be "IMAP before SMTP" of course. I would like to write a policy service for Postfix that will allow connection to submission ports only from IPs that have a currently established IMAP session with Dovecot. Of course they will still need to authenticate, but if an IP address does not have a currently open IMAP session, a connection from it will be right away rejected without even going to AUTH phase. (That should replace the static list of allowed IP ranges that I use now - see my previous emails in this thread). That's the usual way mail clients work: they first open an IMAP connection and keep it open all the time, and only when you want to send mail, they connect to a submission service. Only I don't know, is there an easy way to get from Dovecot a list of IPs that have currently open IMAP sessions? I know this is not a Dovecot list, but maybe someone here knows answer to this? Or maybe someone already wrote such a piece of software and it sits somewhere in the Net ready to grab? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
