Do smtpd_hard_error_limit <http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit> and smtpd_soft_error_limit <http://www.postfix.org/postconf.5.html#smtpd_soft_error_limit> count authentication failures as "errors"?
I don't receive enough emails (or attacks) to have a definitive answer. Allen C On 21/02/16 07:47, Kiss Gábor wrote: > Dear folks, > > My logs are full of lines like this: > > Feb 21 04:12:05 MYOLDMTA postfix/smtpd[12967]: warning: > unknown[195.22.126.159]: SASL LOGIN authentication failed: authentication > failure > > This is a brute force attack in order to get a valid username/password pair. > The cracker usually does 20 attempts within a single SMTP session. > Thought fail2ban alerts the firewall after the third or fourth one but > network filtering applies to new connections only. > (I would not filter _all_ incoming packets until it is > absolutely necessary.) > > So the attacker may try any number of password quite unobtrusively. > > Is there any way to instruct smtpd to close session after 3 unsuccesful > attempts as is written in RFC 4954? I found no appropriate config parameter. > > https://tools.ietf.org/html/rfc4954#section-9 > Servers MAY implement a policy whereby the connection is dropped > after a number of failed authentication attempts. If they do so, > they SHOULD NOT drop the connection until at least 3 attempts to > authenticate have failed. > > The affected Postfix version is 2.11.3, our old MTA. > The new one is not found yet by the bad guys. > > Regards > > Gabor
