On Tue, Sep 20, 2016 at 12:03:37PM +0200, felderm wrote:
> Hi All
> We operate multiple Postfix instances behind HA-Proxies. The haproxy
> upstream protocol is enabled:
> smtpd_upstream_proxy_protocol=haproxy
> (the IPs of the HA-proxies are in mynetworks)
> There are brute-force attacks agains the SMTP servers (auth Backend is
> OpenLDAP). We would like to block these clients and have found the
> following settings:
> smtpd_client_connection_rate_limit 
> smtpd_error_sleep_time             
> smtpd_soft_error_limit             
> smtpd_hard_error_limit             
> We experienced that these settings do not work behind HA-Proxies. Did we
> missed a configuration settings? Did someone implement brute-force
> restrictions behind HA-Proxies? If possible we would like to avoid
> fail2ban or other tools on the HA-Proxies.
> Your Feedback is highly appreciated!
> Thanks
> Felder

Have you considered implementing simple rate limiting at the firewall
level? Something like this, for example:



Reply via email to