1

I found several attempts to use my email server as relay. The helo command was not coming from a FQDN and therefor the request got rejected.

Is there a way to ban an IP address complelty after a number of "malicious" attempts without sending a FQDN?

Enviroment of virtual Multi-Domain Mail Server;

  • CentOS 8.2 on a VPS
  • postfix
  • dovecot
  • postfixadmin
  • nft or nftables as firewall

After 5 - 10 "failed" attempts or probing attempts the ip should be slowed down or banned/blocked.

LOG Excerpt:

from=<noreply-cusmailsecurenoticenumber825139@mydomain.tld> to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<mailaproved.idcloud9idmsa.apps7980187@mydomain.tld>   to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<etam@mydomain.tld>    to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<verifyyouraccountsoonpossible34@mydomain.tld> to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<srvcid-ipzids5629734@mydomain.tld>    to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<email.notifications-customer.mails.id-1545288679@mydomain.tld>    to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<dawson1055@mydomain.tld>  to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<mailaproved.idcloud9idmsa.apps0720475@mydomain.tld>   to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<customer-mhqwczbb6872250@mydomain.tld>    to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<userss6114@mydomain.tld>  to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<mualixx11@mydomain.tld>   to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<editor.32@mydomain.tld>   to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>
from=<amazonwinmnmjs@mydomain.tld>  to=<badguy@anotherdomain.tld>   proto=ESMTP helo=<WIN-EM61SAN76UL>

Although I've set some rules in the postfix/main.cf - those missing FQDN rejects are not blocked by those rules:

smtpd_error_sleep_time = 10s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10

smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 20

smtpd_junk_command_limit = 5

smtpd_tls_auth_only = yes

smtp_destination_recipient_limit = 2
zippy-flop
  • 21
  • 4
  • 3
    Try looking at software fail2ban – kab00m Nov 07 '20 at 13:01
  • I was looking into fail2ban, but not sure how I can achieve that. Is it possible to achieve that with postfix rules itself? Like 5 failed FQDN attempts and boom, banned? – zippy-flop Nov 07 '20 at 13:03
  • fail2ban designed to analyze software behavior and after several attempts it blocks host in firewall. This is more useful than blocking spammers in software like postfix. Anyway, postfix itself has only rate-limiting control (anvil) and no settings to ban after some attempts. – kab00m Nov 08 '20 at 14:27

0 Answers0