Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Question about SMTP Authentications

2014-04-07
2014-04-07
  • Kenneth Ulrich
    Kenneth Ulrich
    2014-04-07

    So, I am looking into various software for my own email-based company. My question is that I've dealt with Postfix alot so I am very familiar with it, but when an email is compromised, and has 20+ different IP's simultaneously sending emails, Blocking IP's become useless.. Is there a way I can close an SMTP Connection to permanent disconnect the offending IP's without having to restart a process or the entire server?

     
  • This is not a general Postfix help forum - this is for the separate package Postfix Admin which configures/maintains virtual domains & mailboxes using Postfix (plus MySQL, optionally maildrop, and Courier or Dovecot).
    For Postfix help you should head over to postfix.org and check out the Postfix mailing lists.

    Blocking IPs is probably the correct way but you don't necessarily have to do it in Postfix.
    Have a look at iptables, the firewall, and possibly fail2ban, with which you may be able to setup relevant rules that fail2ban could then automatically set the iptables rules to block the offending IPs, when the relevant condition is met.

     
  • GingerDog
    GingerDog
    2014-04-07

    Your question seems a tautology - you're asking how to block IP addresses without blocking IP addresses?

    There are various ways of automating the banning of an IP address - but they are going to rely on there being something traceable about the email - e.g. if the subject / body of the email was always the same.

     
  • Simon Hobson
    Simon Hobson
    2014-04-07

    +1 for fail2ban, I use it on pretty well all my public facing services.

    As you point out, it's less effective against distributed attacks, but it does still limit the number of attacks. What it won't do is help when an account is compromised - which is where something like the quota module of Postfix Admin can help. Using PFA you can set a quota on the number of outbound mails a user can send - and above that it will throttle them. Again, it won't prevent the problem, but it will vastly reduce the scale of it.

    For example, if you work on the basis that a normal user won't need to exceed (say) 20 emails/hour and a set a quota at that level, you'll restrict the junk to that level. With a little work, I don't see any reason you couldn't write fail2ban rules to detect hitting the quota and block off the offender for a while.

    I run customer facing email services in my day job, and I do know what you are talking about. Though typically with us, it's been a different issue - customer with internal server (Exchange) and compromised client machine. Result is the same, 10s of thousands of emails coming through as fast as both ends can process them - followed by a lengthy cleanup.

     
    • voytek eymont
      voytek eymont
      2014-04-07

      On April 7, 2014 5:06:59 PM GMT+10:00, Simon Hobson simonhobson@users.sf.net wrote:

      +1 for fail2ban, I use it on pretty well all my public facing services.

      As you point out, it's less effective against distributed attacks, but
      it does still limit the number of attacks. What it won't do is help
      when an account is compromised - which is where something like the
      quota module of Postfix Admin can help. Using PFA you can set a quota
      on the number of outbound mails a user can send - and above that it
      will throttle them. Again, it won't prevent the problem, but it will
      vastly reduce the scale of it.

      Simon,

      where is the quota module, what version PFA does it need? I have 2.3.6.

      my new postfix server came with fail2ban, but I don't have much experience with it, would you be willing to share postfix rules for it?
      (I was using csf previously instead of fail2ban)

      --
      Sent from Kaiten Mail. Please excuse my brevity.

       
  • GingerDog
    GingerDog
    2014-04-07

    Your linux distribution should have the "postfix rules" - unless you've changed how it logs stuff. You should just need to enable the postfix jail in /etc/fail2ban/jail.conf

    David.

     
    • voytek eymont
      voytek eymont
      2014-04-07

      On Mon, April 7, 2014 10:50 pm, GingerDog wrote:

      Your linux distribution should have the "postfix rules" - unless you've
      changed how it logs stuff. You should just need to enable the postfix
      jail in /etc/fail2ban/jail.conf

      David,

      thanks

      oops, looks like it wasn't even enabled, I guess I need to sort it out

      [postfix-tcpwrapper]

      enabled = false
      filter = postfix
      action = hostsdeny[file=/not/a/standard/path/hosts.deny]
      sendmail[name=Postfix, dest=you@example.com]
      logpath = /var/log/postfix.log
      bantime = 300

       
      • GingerDog
        GingerDog
        2014-04-07

        Oh.. As that looks like it's CentOS/RHEL -

        1. Make sure postfix is actually logging to /var/log/postfix.log or whatever.
        2. Use iptables instead of /etc/hosts.deny....

        David.

         
  • Simon Hobson
    Simon Hobson
    2014-04-07

    Oops, sorry - wrong package :( I was thinking PolicyD (aka Cluebringer) which does have the quota module I was talking about.
    http://www.policyd.org

     
    • voytek eymont
      voytek eymont
      2014-04-07

      On April 7, 2014 10:57:14 PM GMT+10:00, Simon Hobson simonhobson@users.sf.net wrote:

      Oops, sorry - wrong package :( I was thinking PolicyD (aka Cluebringer)
      which does have the quota module I was talking about.
      http://www.policyd.org

      Thanks. You had me scratching my head for a while....

      I'm still running the version 1.x policyd.

      --
      Sent from Kaiten Mail. Please excuse my brevity.

       
  • Simon Hobson
    Simon Hobson
    2014-04-07

    Not used V1, V2 is good.