Prevent Postfix Brute Force

By | 2011/05/26

An often used attack vector is brute forcing MTA logins. While most admins watch ssh auth logs like a hawk, email auth/login logs are most often not closely watched for this sort of thing if at all.

I’ll show you one way to easily prevent a Postfix brute force attack!

This how-to focuses on fail2ban and assumes you already have Postfix up and running. Fail2ban temporarily blocks an offending ip address after a set number of invalid login attempts.

First I want to preface with some Postfix options that are good to know.

See the man page for smtpd for many useful things you may want to implement concerning rate limitations.

The per SMTP client connection count and request rate limits are imple-
     mented in co-operation with the anvil(8) service, and are available  in
     Postfix version 2.2 and later.

     smtpd_client_connection_count_limit (50)
            How  many simultaneous connections any client is allowed to make
            to this service.

     smtpd_client_connection_rate_limit (0)
            The maximal number of connection attempts any client is  allowed
            to make to this service per time unit.

     smtpd_client_message_rate_limit (0)
            The  maximal number of message delivery requests that any client
            is allowed to make to this service per time unit, regardless  of
            whether or not Postfix actually accepts those messages.

     smtpd_client_recipient_rate_limit (0)
            The  maximal  number  of  recipient addresses that any client is
            allowed to send to this service per  time  unit,  regardless  of
            whether or not Postfix actually accepts those recipients.

     smtpd_client_event_limit_exceptions ($mynetworks)
            Clients  that  are  excluded  from  connection count, connection
            rate, or SMTP request rate restrictions.

     Available in Postfix version 2.3 and later:

     smtpd_client_new_tls_session_rate_limit (0)
            The maximal number of new (i.e., uncached) TLS sessions  that  a
            remote SMTP client is allowed to negotiate with this service per
            time unit.

Now, onto fail2ban!

In Ubuntu / Debian, install fail2ban:

sudo apt-get install fail2ban

First, edit the main config file to enable fail2ban for Postfix:

sudo nano /etc/fail2ban/jail.conf

Now set some global options for fail2ban under [DEFAULT] including ip addresses you wish fail2ban to ignore.

This will ban an ip address after 3 invalid login attempts for 3600 seconds, or 1 hour. Of course you can set this as desired!


ignoreip = my.home.ip.address
bantime  = 3600
maxretry = 3

Next in that same file [/etc/fail2ban/jail.conf] edit the postfix section. Change enabled from false to true. You can also optionally put a separate value for max retries for each of these sections if desired.


enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5

Also do the same for the [sasl] section if you use sasl auth:


enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log

Now save that file and restart fail2ban.

user@server:~$ sudo /etc/init.d/fail2ban restart
 * Restarting authentication failure monitor fail2ban                    [ OK ] 

Check /var/log/fail2ban.log to verify all is running ok.


Dovecot users see this wiki page

4 thoughts on “Prevent Postfix Brute Force

  1. Brian Snipes

    Thanks for the article. It was exactly what I was looking for to block sasl auth attempts.

  2. CandleFOREX

    Very good tip. Another way is to use the CSF script or for the very paranoid use both CSF and fail2ban.

  3. freya

    Hi, Thank you for your write up on postfix and sasl. I am a bit lost. Currently in my server I have only postfix installed (i.e. SMTP). I do not plan to use dovecot.

    By enabling postfix = true, what am I securing my server from? Because there is no login screen for my postfix. Or am i protecting my server from spam emails from random IP? – How does the server determine it as spam?

    My next question is, by enabling sasl = true, what will it prevent?
    Currently I have these options in my postfix config:
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

    Hope you understand my confusing questions!

    Thank you very much.

  4. Gimei

    What this does is prevent somebody from guessing your users’ passwords by reducing the number of times they can try to login over a particular period. Hope I’ve been helpful.


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.