Hi, I have used fail2ban for a while, to block brute force attacks on ssh, imap(s) or submission(s) ports. More because I wanted to reduce the noise in the logs rather than a fear of a broken password.
Then, with nftables, I realised you can achieve the same thing, as long as a TCP connection isn't close. This works very well for SSH, but I then realised it works for a modern IMAP server that supports IDLE, since the connection is kept open, for instance the excellent Dovecot mail server. Here an example, of nftable ruleset, for dovecot imap(s): ------------------------------------------------------------------- table inet filter { set banned_imap_ipv4 { type ipv4_addr flags dynamic,timeout timeout 1d } set banned_imap_ipv6 { type ipv6_addr size 65535 flags dynamic,timeout timeout 1d } chain input { # Limit new imap connections ala fail2ban meta nfproto ipv4 tcp dport imaps ct state new,untracked \ limit rate over 10/minute add @banned_imap_ipv4 { ip saddr } meta nfproto ipv6 tcp dport imaps ct state new,untracked \ limit rate over 10/minute add @banned_imap_ipv6 { ip6 saddr } # Reject the traffic explicitly ip saddr @banned_imap_ipv4 tcp dport imaps reject with icmp type admin-prohibited ip6 saddr @banned_imap_ipv6 tcp dport imaps reject with icmpv6 type admin-prohibited tcp dport { imap, imaps } ct state new counter accept \ comment "Accept imap/imaps connections" } } ------------------------------------------------------------------- Surprisingly, this is working very well with Dovecot, and various modern clients like Evolution or Thunderbird, as well as K9 on Android. There is also a way to save the rules before restarting the firewall, which works very well as well: ------------------------------------------------------------------- # nft list set inet filter banned_imap_ipv4 table inet filter { set banned_imap_ipv4 { type ipv4_addr size 65535 flags dynamic,timeout timeout 1d elements = { 162.142.125.214 timeout 1d expires 23h44m16s600ms } } } ------------------------------------------------------------------- Now, the question I have is this. I can limit new TCP connections to a reasonable amount, like 10 per minute, because I know I will not try to send that amount of emails from a single IP. However, is there an option, in Postfix, to keep the TCP connection opened for submission(s) protocols (ports 465 or 587) Thanks for your insights.
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org