On 3/11/2015 7:43 PM, Michael Fox wrote: > I haven’t implemented postscreen yet, but plan to. So this question > is for the postscreen experts here. > > > > As I understand it from the documentation, postscreen protects > postfix from having to deal with most attack vectors, including > higher volume attacks. So, does it make sense to also use something > like fail2ban to block IPs that postscreen (or postfix) logs > repeatedly as offenders? Or is postscreen sufficient to protect > posfix? >
The goal of postscreen is to reject zombies while using very few system resources. Postscreen can reject thousands of connections per minute without a significant drain on server performance, even on a modest hardware. Also, zombies don't generally hammer away at a server; they make a (relatively) few connections, and then move on to the next victim. It's probably not worth the trouble to firewall them. That's been my experience, your mileage may vary. On the other hand, fail2ban may be useful for detecting SASL dictionary attacks. It's not unreasonable to block an IP for a period of time after XX failed AUTH attempts. Anyway, feel free to experiment if you want. I don't think it will help much, but it probably won't break anything. -- Noel Jones
