* Kiss Gábor <ki...@niif.hu>: > Dear folks, > > My logs are full of lines like this: > > Feb 21 04:12:05 MYOLDMTA postfix/smtpd[12967]: warning: > unknown[195.22.126.159]: SASL LOGIN authentication failed: authentication > failure > > This is a brute force attack in order to get a valid username/password pair. > The cracker usually does 20 attempts within a single SMTP session. > Thought fail2ban alerts the firewall after the third or fourth one but > network filtering applies to new connections only. > (I would not filter _all_ incoming packets until it is > absolutely necessary.) > > So the attacker may try any number of password quite unobtrusively. > > Is there any way to instruct smtpd to close session after 3 unsuccesful > attempts as is written in RFC 4954? I found no appropriate config parameter.
Either use postfwd2 or write your own policy server. For permanent blocks use check_sasl_access (newer Postfix only) and let it read a list of blocked logins. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
