My postfix MTA has been under a lot of DOS-like attention. Such as a botnet sending many EHLO-requests, then password attempts:
First a lot of: 2017-01-03 10:09:54.964765+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:55.044713+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:55.044835+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 2017-01-03 10:09:55.202825+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:55.275621+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:55.275763+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 2017-01-03 10:09:55.429740+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:55.504750+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:55.504856+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 2017-01-03 10:09:55.663197+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:55.743275+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:55.743976+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 2017-01-03 10:09:55.897671+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:55.971095+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:55.971197+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 2017-01-03 10:09:56.127389+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:56.207804+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:56.207922+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 2017-01-03 10:09:56.362779+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:56.436684+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:56.436791+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 2017-01-03 10:09:56.594670+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:56.672957+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:56.673078+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 2017-01-03 10:09:56.831483+0100 0x6254a9 Info 0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03 10:09:56.906429+0100 0x6254a9 Info 0x0 12992 smtpd: lost connection after EHLO from unknown[95.183.220.2] 2017-01-03 10:09:56.906548+0100 0x6254a9 Info 0x0 12992 smtpd: disconnect from unknown[95.183.220.2] ehlo=1 commands=1 This was actually DOS-like, 10 per second, my clients had trouble reaching my own mail server. Later it first slowed down to 1 per second (from another IP): 2017-01-03 10:59:00.110590+0100 0x62947e Info 0x0 14260 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:00.110500+0100 0x629537 Info 0x0 14264 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:00.112063+0100 0x62947e Info 0x0 14260 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:00.112134+0100 0x62947e Info 0x0 14260 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 2017-01-03 10:59:00.388175+0100 0x629537 Info 0x0 14264 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:00.388343+0100 0x629537 Info 0x0 14264 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 2017-01-03 10:59:00.911768+0100 0x62947e Info 0x0 14260 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:01.198870+0100 0x62947e Info 0x0 14260 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:01.198986+0100 0x62947e Info 0x0 14260 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 2017-01-03 10:59:01.654948+0100 0x629537 Info 0x0 14264 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:01.891412+0100 0x629537 Info 0x0 14264 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:01.891528+0100 0x629537 Info 0x0 14264 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 2017-01-03 10:59:03.138730+0100 0x62947e Info 0x0 14260 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:03.410583+0100 0x62947e Info 0x0 14260 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:03.410701+0100 0x62947e Info 0x0 14260 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 2017-01-03 10:59:03.931302+0100 0x629537 Info 0x0 14264 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:04.189197+0100 0x629537 Info 0x0 14264 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:04.189330+0100 0x629537 Info 0x0 14264 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 2017-01-03 10:59:04.762571+0100 0x62947e Info 0x0 14260 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:05.759604+0100 0x62947e Info 0x0 14260 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:05.759719+0100 0x62947e Info 0x0 14260 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 2017-01-03 10:59:08.667499+0100 0x629537 Info 0x0 14264 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:08.928175+0100 0x629537 Info 0x0 14264 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:08.928522+0100 0x629537 Info 0x0 14264 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 2017-01-03 10:59:16.232049+0100 0x62947e Info 0x0 14260 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:16.473858+0100 0x62947e Info 0x0 14260 smtpd: lost connection after EHLO from unknown[66.150.135.9] 2017-01-03 10:59:16.473999+0100 0x62947e Info 0x0 14260 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 commands=1 Then after a while a lot of: 2017-01-03 10:59:16.760758+0100 0x629537 Info 0x0 14264 smtpd: connect from unknown[66.150.135.9] 2017-01-03 10:59:17.667032+0100 0x629537 Default 0x0 14264 smtpd: error: get user record: unable to open user record for user=gerben_wie...@rna.nl 2017-01-03 10:59:17.667125+0100 0x629537 Default 0x0 14264 smtpd: error: verify password: unable to lookup user record for: user=gerben_wie...@rna.nl 2017-01-03 10:59:17.667270+0100 0x629537 Default 0x0 14264 smtpd: error: authentication failed 2017-01-03 10:59:17.667463+0100 0x629537 Default 0x0 14264 smtpd: warning: unknown[66.150.135.9]: SASL LOGIN authentication failed 2017-01-03 10:59:17.905241+0100 0x629537 Info 0x0 14264 smtpd: lost connection after AUTH from unknown[66.150.135.9] 2017-01-03 10:59:17.905356+0100 0x629537 Info 0x0 14264 smtpd: disconnect from unknown[66.150.135.9] ehlo=1 auth=0/1 commands=1/2 It does the first part from a multitude of machines. I want to stop this by setting a rate limiting rule in my firewall. I was wondering what rate to set if I want to limit access by the same IP. The first pattern, I could stop by rate-limiting to maximally 3 per second or 180 per minute. That is already pretty high. What MTA is going to send me 180 per minute and still be legit? So, because I do not want to lose valid stuff (though there is a backup mail server), I was wondering what a good rate limiting is to prevent these kinds of attacks. G
