Dnia 22.06.2023 o godz. 13:58:20 André Rodier via Postfix-users pisze: > > I just set-up a new server, running postfix, with submission(s) activated > on standard ports (587, 465) > > Shortly after it has been setup, I see brute force attacks (not > surprising) from a whole /24 network (more surprising). > > I carefully checked the logs, and see the modus operandi, which basically > loop across the IP addresses in the network, to avoid being blacklisted by > tools like fail2ban. And it is true, even with fail2ban activated, no IP > is blacklisted. > > By activating verbose logging, I see multiple user names are tried, not > only passwords.
I encountered this a few months ago. My approach was (I wrote here about this) to write a policy service that is called for submission services, which consults Dovecot to check if there is already a logged-in IMAP user from the same IP address. If not, the connection is immediately rejected (smtpd_delay_reject is set to no on submission services) so the attacker doesn't even get to AUTH phase. This should allow only connections to submission services that come from actual mail clients which open the IMAP session first before trying to submit mail. As there is much less attacks on IMAP than on submission services (of course as for now - things can change), this works pretty well. My prototype policy service is rather primitively implemented - it uses the model of spawning new process on each connection, so performance would be poor on a high traffic site, it would need to be rewritten. But for my low traffic server it's good enough. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
