Prevent Postfix Brute Force

By | 2011/05/26

An often used attack vector is brute forcing MTA logins. While most admins watch ssh auth logs like a hawk, email auth/login logs are most often not closely watched for this sort of thing if at all.

I’ll show you one way to easily prevent a Postfix brute force attack!

This how-to focuses on fail2ban and assumes you already have Postfix up and running. Fail2ban temporarily blocks an offending ip address after a set number of invalid login attempts.


First I want to preface with some Postfix options that are good to know.

See the man page for smtpd for many useful things you may want to implement concerning rate limitations.

The per SMTP client connection count and request rate limits are imple-
     mented in co-operation with the anvil(8) service, and are available  in
     Postfix version 2.2 and later.

     smtpd_client_connection_count_limit (50)
            How  many simultaneous connections any client is allowed to make
            to this service.

     smtpd_client_connection_rate_limit (0)
            The maximal number of connection attempts any client is  allowed
            to make to this service per time unit.

     smtpd_client_message_rate_limit (0)
            The  maximal number of message delivery requests that any client
            is allowed to make to this service per time unit, regardless  of
            whether or not Postfix actually accepts those messages.

     smtpd_client_recipient_rate_limit (0)
            The  maximal  number  of  recipient addresses that any client is
            allowed to send to this service per  time  unit,  regardless  of
            whether or not Postfix actually accepts those recipients.

     smtpd_client_event_limit_exceptions ($mynetworks)
            Clients  that  are  excluded  from  connection count, connection
            rate, or SMTP request rate restrictions.

     Available in Postfix version 2.3 and later:

     smtpd_client_new_tls_session_rate_limit (0)
            The maximal number of new (i.e., uncached) TLS sessions  that  a
            remote SMTP client is allowed to negotiate with this service per
            time unit.

Now, onto fail2ban!

In Ubuntu / Debian, install fail2ban:

sudo apt-get install fail2ban

First, edit the main config file to enable fail2ban for Postfix:

sudo nano /etc/fail2ban/jail.conf


Now set some global options for fail2ban under [DEFAULT] including ip addresses you wish fail2ban to ignore.

This will ban an ip address after 3 invalid login attempts for 3600 seconds, or 1 hour. Of course you can set this as desired!


[DEFAULT]

ignoreip = 127.0.0.1 my.home.ip.address my.work.ip.address my.network.block/24
bantime  = 3600
maxretry = 3

Next in that same file [/etc/fail2ban/jail.conf] edit the postfix section. Change enabled from false to true. You can also optionally put a separate value for max retries for each of these sections if desired.

[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5

Also do the same for the [sasl] section if you use sasl auth:

[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log


Now save that file and restart fail2ban.

user@server:~$ sudo /etc/init.d/fail2ban restart
 * Restarting authentication failure monitor fail2ban                    [ OK ] 
user@server:~$ 

Check /var/log/fail2ban.log to verify all is running ok.

Done!


Dovecot users see this wiki page