An often used attack vector is brute forcing MTA logins. While most admins watch ssh auth logs like a hawk, email auth/login logs are most often not closely watched for this sort of thing if at all.
I’ll show you one way to easily prevent a Postfix brute force attack!
This how-to focuses on fail2ban and assumes you already have Postfix up and running. Fail2ban temporarily blocks an offending ip address after a set number of invalid login attempts.
First I want to preface with some Postfix options that are good to know.
See the man page for smtpd for many useful things you may want to implement concerning rate limitations.
The per SMTP client connection count and request rate limits are imple-
mented in co-operation with the anvil(8) service, and are available in
Postfix version 2.2 and later.
smtpd_client_connection_count_limit (50)
How many simultaneous connections any client is allowed to make
to this service.
smtpd_client_connection_rate_limit (0)
The maximal number of connection attempts any client is allowed
to make to this service per time unit.
smtpd_client_message_rate_limit (0)
The maximal number of message delivery requests that any client
is allowed to make to this service per time unit, regardless of
whether or not Postfix actually accepts those messages.
smtpd_client_recipient_rate_limit (0)
The maximal number of recipient addresses that any client is
allowed to send to this service per time unit, regardless of
whether or not Postfix actually accepts those recipients.
smtpd_client_event_limit_exceptions ($mynetworks)
Clients that are excluded from connection count, connection
rate, or SMTP request rate restrictions.
Available in Postfix version 2.3 and later:
smtpd_client_new_tls_session_rate_limit (0)
The maximal number of new (i.e., uncached) TLS sessions that a
remote SMTP client is allowed to negotiate with this service per
time unit.
Now, onto fail2ban!
In Ubuntu / Debian, install fail2ban:
sudo apt-get install fail2ban
First, edit the main config file to enable fail2ban for Postfix:
sudo nano /etc/fail2ban/jail.conf
Now set some global options for fail2ban under [DEFAULT] including ip addresses you wish fail2ban to ignore.
This will ban an ip address after 3 invalid login attempts for 3600 seconds, or 1 hour. Of course you can set this as desired!
[DEFAULT] ignoreip = 127.0.0.1 my.home.ip.address my.work.ip.address my.network.block/24 bantime = 3600 maxretry = 3
Next in that same file [/etc/fail2ban/jail.conf] edit the postfix section. Change enabled from false to true. You can also optionally put a separate value for max retries for each of these sections if desired.
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 5
Also do the same for the [sasl] section if you use sasl auth:
[sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log
Now save that file and restart fail2ban.
user@server:~$ sudo /etc/init.d/fail2ban restart * Restarting authentication failure monitor fail2ban [ OK ] user@server:~$
Check /var/log/fail2ban.log to verify all is running ok.
Done!
Thanks for the article. It was exactly what I was looking for to block sasl auth attempts.