Re: Dictionary attacks
On 03/11/2019 02:42, Wietse Venema wrote: > John Schmerold: >> What is the best way to protect against dictionary attacks in Postfix? > > Reportedly, fail2ban (no first-hand experience, because I have no > SASL clients). > > Wietse > I run a home-brewed fail2ban look-alike; I find it almost as useful as postscreen. Another mailling list suggests an ACL based on IP netblocks, to define a "service area" where incoming AUTH connections are permitted. Allen C
Re: Dictionary attacks
Wietse Venema: > John Schmerold: > > What is the best way to protect against dictionary attacks in Postfix? > > Reportedly, fail2ban (no first-hand experience, because I have no > SASL clients). Also, Postfix can rate-limit auth commands, on the assumption that good users don't make lots of repeated login attempts. Wietse htp://www.postfix.org/postconf.5.html#smtpd_client_auth_rate_limit smtpd_client_auth_rate_limit (default: 0) The maximal number of AUTH commands that any client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those commands. The time unit is specified with the anvil_rate_time_unit configuration parameter. By default, there is no limit on the number AUTH commands that a client may send. To disable this feature, specify a limit of 0. WARNING: The purpose of this feature is to limit abuse. It must not be used to regulate legitimate mail traffic. This feature is available in Postfix 3.1 and later.
Re: Dictionary attacks
On 03 Nov 2019, at 06:06, Wietse Venema wrote: > Wietse Venema: >> John Schmerold: >>> What is the best way to protect against dictionary attacks in Postfix? >> >> Reportedly, fail2ban (no first-hand experience, because I have no >> SASL clients). > > Also, Postfix can rate-limit auth commands, on the assumption that > good users don't make lots of repeated login attempts. > > Wietse > > htp://www.postfix.org/postconf.5.html#smtpd_client_auth_rate_limit > > smtpd_client_auth_rate_limit (default: 0) >The maximal number of AUTH commands that any client is allowed >to send to this service per time unit, regardless of whether >or not Postfix actually accepts those commands. The time unit >is specified with the anvil_rate_time_unit configuration >parameter. That defaults to 60s so setting this to 3 would rate limit to three attempts per minute. That’s good to know. That might be useful, though I am not sure I am seeing very fast auth attempts. Still, it certainly can’t hurt.
Re: Dictionary attacks
On 11/2/2019 9:42 PM, Wietse Venema wrote: John Schmerold: What is the best way to protect against dictionary attacks in Postfix? Reportedly, fail2ban (no first-hand experience, because I have no SASL clients). Wietse I am using Postfix as a filter in front of O365/cpanel/Google apps, we are seeing a few dictionary attacks, I will experiment with fail2ban. One site (Mergy.org), recommends adding this to /etc/fail2ban/filters.d/postfix: ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4.1.1 .* Recipient address rejected: unverified address: unknown user:.*$ We'll see how it goes.
Re: Error 46 with TLS
Hello,
I had no time to solve definitely the problem.
Now the result is not error 46 but
Nov 3 17:23:51 jolly postfix/smtpd[5113]: connect from unknown[192.168.5.1]
Nov 3 17:23:51 jolly postfix/smtpd[5113]: Anonymous TLS connection
established from unknown[192.168.5.1]: TLSv1.2 with cipher
ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
Nov 3 17:23:51 jolly postfix/smtpd[5113]: warning:
unknown[192.168.5.1]: SASL LOGIN authentication failed: authentication
failure
Nov 3 17:23:51 jolly postfix/smtpd[5113]: lost connection after AUTH
from unknown[192.168.5.1]
Nov 3 17:23:51 jolly postfix/smtpd[5113]: disconnect from
unknown[192.168.5.1] ehlo=2 starttls=1 auth=0/1 commands=3/4
This is strange as I don't do an anonymous connection.
I install saslauth.
# Example: MECHANISMS="pam"
MECHANISMS="shadow"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you
wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific
information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m
/var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - -
smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
This is only the end of the conf file. I didn't change anything at the
start of file.
Here is the smtpd part of main.cf
# TLS parameters
broken_sasl_auth_clients = yes
smtpd_tls_cert_file =
/etc/letsencrypt/live/zelec.homelinux.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/zelec.homelinux.net/privkey.pem
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
broken_sasl_auth_client = yes
#smtpd_tls_CAfile=/etc/letsencrypt/live/zelec.homelinux.net/fullchain.pem
#smtpd_tls_CApath=/etc/ssl/certs/
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination permit_inet_interfaces
reject_unauth_destination permit_mx_backup
myhostname = jolly.zelec.lan
Here my master.conf
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
#
==
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
Thanks for ideas
Benoit
Le 22/09/2019 à 18:15, Viktor Dukhovni a écrit :
On Sun, Sep 22, 2019 at 03:07:54PM +0200, benoit wrote:
I change my cert_file parameter to fullchain.pem. So now I don't have
error for server:
Sep 2
Re: Error 46 with TLS
> On Nov 3, 2019, at 10:42 AM, benoit wrote: > > Nov 3 17:23:51 jolly postfix/smtpd[5113]: connect from unknown[192.168.5.1] > Nov 3 17:23:51 jolly postfix/smtpd[5113]: Anonymous TLS connection > established from unknown[192.168.5.1]: TLSv1.2 with cipher > ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits) > Nov 3 17:23:51 jolly postfix/smtpd[5113]: warning: unknown[192.168.5.1]: > SASL LOGIN authentication failed: authentication failure > Nov 3 17:23:51 jolly postfix/smtpd[5113]: lost connection after AUTH from > unknown[192.168.5.1] > Nov 3 17:23:51 jolly postfix/smtpd[5113]: disconnect from > unknown[192.168.5.1] ehlo=2 starttls=1 auth=0/1 commands=3/4 > > This is strange as I don't do an anonymous connection. Don't confuse "TLS anonymous" (no TLS client certificate), with "SASL anonymous" (no username/password or similar). See: http://www.postfix.org/FORWARD_SECRECY_README.html#status Your TLS settings are now fine, and all that remains is getting SASL to work (SASL is not SSL). -- Viktor.
Re: Dictionary attacks
On 2019-11-03 05:24, Allen Coates wrote: > > > On 03/11/2019 02:42, Wietse Venema wrote: >> John Schmerold: >>> What is the best way to protect against dictionary attacks in Postfix? >> >> Reportedly, fail2ban (no first-hand experience, because I have no >> SASL clients). >> >> Wietse >> > > I run a home-brewed fail2ban look-alike; I find it almost as useful as > postscreen. I've been thinking about setting up exactly such a thing myself. Trying to figure out how to make fail2ban talk to a Shorewall firewall on a different box is just too much of a pain for such a fundamentally simple task. It's like trying to set up a CNC mill when all you actually want to do is file 2mm off a strike plate. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
Re: Dictionary attacks
https://www.sshguard.net/ This is a simpler alternative to fail2ban. It has hooks for postfix and dovecot. The only disadvantage is SSHGuard isn't in my repo. You have to build it. That said, I just use it for ssh. I use Anvil settings in postfix to slow down the occasional skid. Less is more. The desired email gets through. I don't see much in the way of dictionary attacks on my postfix. Original Message From: ph...@caerllewys.net Sent: November 3, 2019 9:04 AM To: postfix-users@postfix.org Subject: Re: Dictionary attacks On 2019-11-03 05:24, Allen Coates wrote: > > > On 03/11/2019 02:42, Wietse Venema wrote: >> John Schmerold: >>> What is the best way to protect against dictionary attacks in Postfix? >> >> Reportedly, fail2ban (no first-hand experience, because I have no >> SASL clients). >> >> Wietse >> > > I run a home-brewed fail2ban look-alike; I find it almost as useful as > postscreen. I've been thinking about setting up exactly such a thing myself. Trying to figure out how to make fail2ban talk to a Shorewall firewall on a different box is just too much of a pain for such a fundamentally simple task. It's like trying to set up a CNC mill when all you actually want to do is file 2mm off a strike plate. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
Re: Dictionary attacks
> On Nov 3, 2019, at 12:04 PM, Phil Stracchino wrote: > > On 2019-11-03 05:24, Allen Coates wrote: >> >> >> On 03/11/2019 02:42, Wietse Venema wrote: >>> John Schmerold: What is the best way to protect against dictionary attacks in Postfix? >>> >>> Reportedly, fail2ban (no first-hand experience, because I have no >>> SASL clients). >>> >>> Wietse >>> >> >> I run a home-brewed fail2ban look-alike; I find it almost as useful as >> postscreen. > > I've been thinking about setting up exactly such a thing myself. Trying > to figure out how to make fail2ban talk to a Shorewall firewall on a > different box is just too much of a pain for such a fundamentally simple > task. It's like trying to set up a CNC mill when all you actually want > to do is file 2mm off a strike plate. Yes. And recently there was a change that broke old rules (this was for pf, not sure about other firewalls), and it was annoying. I also find the memory use kind of ludicrous for small/VPS hosts - 150MB for a table of banned IPs? Also it was more than happy to start with a good exit code when it failed to manipulate the firewall, which kind of scared the bejesus out of me and sent me investigating a pile of servers to see if that was happening elsewhere. I wish there were more alternatives out there, although the maintenance burden of dealing with arbitrary logfile changes is probably a pain. It’s crazy how the open source world has gone from railing against the Microsoft monoculture issue to creating their own (unintentionally but still…). Charles > > > -- > Phil Stracchino > Babylon Communications > ph...@caerllewys.net > p...@co.ordinate.org > Landline: +1.603.293.8485 > Mobile: +1.603.998.6958
Re: Dictionary attacks
On Sun, 3 Nov 2019, Phil Stracchino wrote: On 2019-11-03 05:24, Allen Coates wrote: On 03/11/2019 02:42, Wietse Venema wrote: John Schmerold: What is the best way to protect against dictionary attacks in Postfix? Reportedly, fail2ban (no first-hand experience, because I have no SASL clients). Wietse I run a home-brewed fail2ban look-alike; I find it almost as useful as postscreen. I've been thinking about setting up exactly such a thing myself. Trying to figure out how to make fail2ban talk to a Shorewall firewall on a different box is just too much of a pain for such a fundamentally simple task. It's like trying to set up a CNC mill when all you actually want to do is file 2mm off a strike plate. If you can do it locally, you can do it remotely (via ssh), like: ssh remote-box whatever_local_shorewall_command with fail2ban it's very easy to add customized actions for block/unblock.
Re: Dictionary attacks
On Sun, 3 Nov 2019, John Schmerold wrote:
On 11/2/2019 9:42 PM, Wietse Venema wrote:
John Schmerold:
What is the best way to protect against dictionary attacks in Postfix?
Reportedly, fail2ban (no first-hand experience, because I have no
SASL clients).
Wietse
I am using Postfix as a filter in front of O365/cpanel/Google apps, we are
seeing a few dictionary attacks, I will experiment with fail2ban.
One site (Mergy.org), recommends adding this to
/etc/fail2ban/filters.d/postfix:
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4.1.1 .*
Recipient address rejected: unverified address: unknown user:.*$
We'll see how it goes.
fail2ban includes (at least in debian buster) a suitable rule in
postfix-sasl.conf, viz.:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[
A-Za-z0-9+/:]
*={0,2})?\s*$
(all in one line).
It works fine to block random bots trying to authenticate as a user
(whether the user exists or not).
Re: Dictionary attacks
On 2019-11-03 14:21, Bernardo Reino wrote: > On Sun, 3 Nov 2019, Phil Stracchino wrote: >> I've been thinking about setting up exactly such a thing myself. Trying >> to figure out how to make fail2ban talk to a Shorewall firewall on a >> different box is just too much of a pain for such a fundamentally simple >> task. It's like trying to set up a CNC mill when all you actually want >> to do is file 2mm off a strike plate. > > If you can do it locally, you can do it remotely (via ssh), like: > > ssh remote-box whatever_local_shorewall_command I assumed that was the approach to use, but I found fail2ban's configuration and documentation opaque and confusing, and couldn't find a good how-to that explained how to set it up. It was enough of a headache that I decided my time was probably better spent building something simple and lightweight purpose-built to do exactly what I want it to than in trying to figure out the right subset of many complex configuration options for a tool designed to do a whole lot of things I don't actually need it to do. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
Re: Dictionary attacks
On 03 Nov 2019, at 11:03, lists wrote: > https://www.sshguard.net/ > This is a simpler alternative to fail2ban. It has hooks for postfix and > dovecot. Yep, that’s what I use. It doesn’t have all the options of Fail2Ban, but that’s fine, it does what I need most. (I have used fail2ban also) > The only disadvantage is SSHGuard isn't in my repo. You have to build it. > > That said, I just use it for ssh. I use Anvil settings in postfix to slow > down the occasional skid. Less is more. The desired email gets through. I > don't see much in the way of dictionary attacks on my postfix. Lots of failed logins get banned. That’s fine with me. -- Well there are certain sections of New York, Major, that I wouldn't advise you to try to invade
