Alessandro Vesely a écrit :
> User unknown can also be captured from a catchall script, i.e.
> synchronously rather than parsing log files.
>
I don't like catch-all mechanisms. With such tools, you are unable to
inform senders that they made a mistake while writing their mail without
creating a backscatter (which is baaaaad)
>>> Fail2ban is perfect for that...
>>> Here is the couriersmtp filter I created:
>>> [...]
>>> failregex = error,relay=<HOST>,.*: (511|550|554|513)
>>>
>
> Most (all?) of those are originated via the addiovec_error() function.
> Thus we know they are sent with LOG_INFO priority.
>
>
>> That's probably an overkill to ban an IP because of a single error. You
>> really want to trigger an IP ban after 4-5 consecutive errors.
>>
>
> That seems fair.
>
> The above regex would also capture "550 Rejected - see DNSBL" stuff,
> which I don't think deserve being blocked at the firewall.
>
Just try and see what's happening when a stupid spammer is flooding your
server with several hundreds mails per minute (dictionnary attack or
more stupid one, trying several times the same address)
You will query DNS so many useless times... and will waste resources.
You can cache whatever you want, it will always be better to drop
everything from the spammer. They will have to wait the timeout delay...
And I love annoying spammers :-)
Here is the content of my jail.conf:
bantime = 1800
maxretry = 3
[couriersmtp]
enabled = true
port = smtp
filter = couriersmtp
logpath = /var/log/mail.err
> Jerome, what regex do you use for imap/pop3/webmail? I'd recommend
> something like
>
Webmail, pop3 and imap are disabled from outside my network. Only imaps
is opened. I didn't face this problem yet.
> failregex = LOGIN FAILED, user=\S* ip=\[<HOST>]
>
> While SMTP features a smart tarpit, login failures have a lone
> sleep(5); depending on MAXDAEMONS (and MAXPERIP) that may allow a good
> deal of retries.
>
> The latter log lines also come at LOG_INFO priority. Since logging is
> being used for interprocess communication purposes, would it make
> sense to document that the LOG_INFO priority is where info relevant
> for the firewall is being logged? Parsing just those lines may save
> some cycles...
>
That's why you should not use mail.log but mail.err... would be much
smarter.
content of syslog.conf:
mail.err /var/log/mail.err
serveur:~# wc -l /var/log/mail.log /var/log/mail.err
3001 /var/log/mail.log
75 /var/log/mail.err
ns300321:~# wc -l /var/log/mail.log /var/log/mail.err
3863 /var/log/mail.log
88 /var/log/mail.err
HTH.
Jerome Blion.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
