For qmail-1.03-3.3.5 and up (below link) defines how to set up
/var/log/qmail/smtptx/current
This stops attempts of AUTH outside TLS
https://github.com/qmtoaster/patches/tree/master/cos8/3.3.5
On 11/4/2022 1:57 AM, Peter Peltonen wrote:
Hi,
I received a private reply that the correct logpath
is /var/log/qmail/smtpt*/current so that should work.
Below are some stats from my server. In the end, I did not disable
smpts, as there were a few users using the port and it seems to be a
difficult task to change the port in Outlook (requires deleting and
adding the account again). What I notice now after a few days (see
stats below) following the logs is that there are a lot of failed
attempts but only a few get banned because they come from different
IPs. So it is very difficult if the attempts are initiated from a
botnet with lots of IPs... What I could try to do, is to allow
attempts based on IP geo location and then block the rest. Does anyone
know if such a configuration could be done easily with some existing
tool? Either at qmail or iptables level.
# ./f2bstat
Status for the jail: qmail-submission-passfail
|- Filter
| |- Currently failed: 4
| |- Total failed: 8
| `- File list: /var/log/maillog
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:
Status for the jail: qmail-submission-usernotfound
|- Filter
| |- Currently failed: 14
| |- Total failed: 177
| `- File list: /var/log/maillog
`- Actions
|- Currently banned: 4
|- Total banned: 4
`- Banned IP list: 185.28.39.139 185.232.21.210 2.58.46.186
91.103.252.239
Status for the jail: qmail-smtps-passfail
|- Filter
| |- Currently failed: 1276
| |- Total failed: 3646
| `- File list: /var/log/maillog
`- Actions
|- Currently banned: 10
|- Total banned: 27
`- Banned IP list: 117.123.14.7 103.249.77.2 220.255.216.14
189.109.236.166 122.252.192.22 136.169.210.132 189.108.147.210
172.245.92.101 192.227.246.107 219.255.134.98
Status for the jail: qmail-smtps-usernotfound
|- Filter
| |- Currently failed: 685
| |- Total failed: 6302
| `- File list: /var/log/maillog
`- Actions
|- Currently banned: 11
|- Total banned: 16
`- Banned IP list: 60.174.192.240 76.82.169.64 201.63.178.141
177.86.158.78 41.170.13.250 98.143.104.200 68.55.3.234 211.196.236.250
124.165.66.186 183.99.76.78 67.204.24.218
On Wed, Nov 2, 2022 at 10:13 PM Peter Peltonen
<peter.pelto...@gmail.com> wrote:
Thanks and yes, submission has been hacked also of course, but for
some reason, I see the brute force attempts directed only against
smtps (at least during the past days). As I don't use it, it's
better to disable it as then I need only to monitor submission.
Changing passwords has been of course done.
When following the fail2ban instructions one command failed:
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`
cp: target '2022' is not a directory
Also in the qmail-smtp-authnotavail filter I see the following entry:
logpath = /var/log/qmail/smtptx/current
-> I don't have a such log file, is there a typo in the path?
I had to disable that filter as fail2ban refuses to start with it.
Best,
Peter
On Wed, Nov 2, 2022 at 5:27 AM Eric Broch
<ebr...@whitehorsetc.com> wrote:
And, the instruction on fail2ban should work fine. Submit
questions to list.
On 11/1/2022 8:38 PM, Remo Mattei wrote:
I would change all the passwords.
Remo
--
Mandato da iPhone
On martedì, nov 01, 2022 at 14:44, Eric Broch
<ebr...@whitehorsetc.com> wrote:
# qmailctl stop
# touch /var/qmail/supervise/smtps/log/down
# touch /var/qmail/supervise/smtps/down
# qmailctl start
# qmailctl stat
But, if they've hacked smtps then they've also hacked
submission; right?
On 11/1/2022 1:10 PM, Peter Peltonen wrote:
Hi,
I had an email account password guessed through auth
attempts via smtps.
I did not realize this as I had forgotten I had it
enabled at all. I
was looking at the submission log and scratching my head
not
understanding how messages got to the remote queue
without anything in
the submission log, until I realized smpts was enabled
and it was
logging to /var/log/maillog and not to any log under
/var/log/qmail...
My first question: is it safe to disable smtps, I guess
I don't need
it for anything as all my users should be using
587/submission instead?
Second question: How do I disable it? Should I just
remove /var/qmail/supervise/smtps/run file? And/or block
it at
firewall level?
Third question: to prevent brute force attacks, is
fail2ban the best
option to do it? I just follow the instructions at
http://www.qmailtoaster.com/fail2ban.html ?
Best,
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
