On 01/03/2017 01:37 PM, Gerben Wierda wrote: > My postfix MTA has been under a lot of DOS-like attention. Such as a botnet > sending many EHLO-requests, then password attempts: > ... > It does the first part from a multitude of machines. > > I want to stop this by setting a rate limiting rule in my firewall. I was > wondering what rate to set if I want to limit access by the same IP. The > first pattern, I could stop by rate-limiting to maximally 3 per second or 180 > per minute. That is already pretty high. What MTA is going to send me 180 per > minute and still be legit? > > So, because I do not want to lose valid stuff (though there is a backup mail > server), I was wondering what a good rate limiting is to prevent these kinds > of attacks. > > G
As well as the other advice given in the thread about tuning postfix rate limiting, you might want to look into using postscreen with some blocklists. Those will stop some of the traffic getting through to smtpd. You can use this is conjunction with fail2ban to then block those ips at the firewall if they keep connecting. Fail2ban is also useful against repeated auth errors. Moving auth from port 25 to 587 will also reduce the risks a bit. John
