FWIW, I had very similar issues and implemented fail2ban with very tight
parameters to essentially block offensive probing hosts. I went from
something around 75k probes per month down to less than 50.
Also, out of respect for our counterparts on this PF dedicated mailer,
feel free to ping me directly to discuss F2B.
- Tony -
- - -
On 15 Mar 2021, at 13:23, Wietse Venema wrote:
Bill Cole:
On 15 Mar 2021, at 12:17, Viktor Dukhovni wrote:
You've enabled SASL with dovecot as a backend. You could limit this
to
port 587 (enable SASL via master.cf only for the submission
service),
and require TLS there. It'll probably still get probed. That's
life
on the public Internet.
Not only "could" but for most systems, SHOULD. The primary purpose
would
be to reduce your attack surface. You will still get some auth
attempts
on the port 25 service, but far less than with SASL enabled and of
course there is zero potential for those attacks ever working. Since
auth attacks have mostly graduated from "brute force" (i.e.
random-ish
guessing) to "credential stuffing" (trying user+password pairs known
to
work somewhere else) it has become important to limit the ways
successful authentication can work to only what is necessary. In
2021,
no one should need to do authenticated mail submission on port 25.
You
also can gain simpler and clearer configuration for other sorts of
policy enforcement (e.g. spam control) by not having any need to make
exceptions for submission on port 25 (e.g. exemptions from DNSBL
and/or
spam filters for trusted networks.)
I agree. Don't enabls SASL AUTH (or any MUA-specific features) on
the MTA service (port 25), and Do give the Postfix submission and
smtps services their own set of smtpd_mumble_restrictions.
Wietse
