[pfx] Re: Strengthen email system security
On 24/05/24 21:32, Matus UHLAR - fantomas via Postfix-users wrote: On 24.05.24 12:00, Peter via Postfix-users wrote: And the OP is referring to SASL AUTH attacks which are for submission, not MX connections. But some of those log lines mention postfix/smtpd, which means they happen on port 25. Right, which is why it was recommended that he disable auth on port 25. Never mind, we're going around in circles here. BTW, While one usually has SASL disabled on port 25, some networks may require it because of backwards compatibility. I think that's becoming increasingly rare. I have solved this issue by forwarding port 25 from external networks to local port 1025 (or any other), where I run postscreen, dnsbls and per-queue spam/virus filters. You can also bind smtpd to a specific IP in master.cf for port 25 submission if you need that. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 2024-05-23 at 20:12:09 UTC-0400 (Fri, 24 May 2024 12:12:09 +1200) Peter via Postfix-users is rumored to have said: On 24/05/24 01:42, Bill Cole via Postfix-users wrote: [...] It is also helpful as a matter of system design to decouple user email addresses from their login usernames. For example, all of the email addresses I give to companies are aliases, so none of them are at all useful if compromised in a breach. The username I use to authenticate to my mail server cannot be mailed from anywhere but the mail server itself. This assures that no matter how many systems get breached where I've got an account, none of those usernames and passwords are useful to the thieves. I set this up almost 30 years ago as a spam control measure, but the greatest benefit has been in basic account security. This is good advice for the email admin personally but increases the complexity for other users to a point where it's probably not worth it, imo. To elaborate aliases are great, but trying to reject email to the primary mailbox address, or trying to force users to pick a different username to their primary mailbox email address can be problematic. Right, it is difficult to retrofit a robust model with arcane aliasing kinks onto an existing userbase. It is much less hard to switch users from authenticating as cuten...@example.com to cuten...@mailauth.example.com even though they still get all their mail at the simpler, preferred address. The critical point is to make the session authentication identity for mail different from the mail delivery address, because they have definitely used that delivery address for authentication elsewhere. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 23/05/2024 14:45, Bill Cole via Postfix-users wrote: is rumored to have said: Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. On 23.05.24 07:00, Northwind via Postfix-users wrote: will this also stop the valid client's SMTP connection? thank you Wietse. not, unless they are listed in zen.spamhaus.org, which should not happen. Zen includes the "PBL" component, which consists largely of residential and mobile consumer IPs. The ZEN response codes say which data-set(s) list the IP address; you can qualify the "reject_dbl_client" directive to disregard the PBL component. The other components will remain active, and contribute to the blocking process. Allen C ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Zen includes the "PBL" component, which consists largely of residential and mobile consumer IPs. On 24/05/24 02:12, Matus UHLAR - fantomas via Postfix-users wrote: Yes, but these are (usually) not considered valid clients, these should use submission/submissions(smtps) ports where reject_rbl_client and/or zen.spamhaus.orgshould not be used. On 24.05.24 12:00, Peter via Postfix-users wrote: And the OP is referring to SASL AUTH attacks which are for submission, not MX connections. But some of those log lines mention postfix/smtpd, which means they happen on port 25. BTW, While one usually has SASL disabled on port 25, some networks may require it because of backwards compatibility. I have solved this issue by forwarding port 25 from external networks to local port 1025 (or any other), where I run postscreen, dnsbls and per-queue spam/virus filters. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 24/05/24 01:42, Bill Cole via Postfix-users wrote: Likely brute force. Not exactly. "Brute force" password cracking is almost never seen today, as it has been replaced by a practice commonly called "credential stuffing" where the attacker has some large collection of known-good username+password combinations from another source (e.g. one of the many "breaches" of online systems) and is simply trying the same combinations on your system. This is a much more targeted attack and so can be slow enough to evade rate-limit based protections. I appreciate the differences you point out and they are relevant, but I do still consider it a type of brute force attack. This means that you need more prevention than was needed with classic brute force. An attacker may not be working from a list of random names and passwords or from common names and passwords, but from some smaller list of names and passwords specific to your domain and users, so the chances of a hit are based on whether your users use the same passwords everywhere. Indeed this is a problem that is very difficult to police. At the end of the day it is extremely difficult to tell if your users share passwords from an email administration POV and probably not worth the effort it takes to even come close to preventing it. Trying to educate your users could be worthwhile, but beyond that ... All the other suggestions are good, and I would add that in addition to using Geo-IP data for excluding by country or region, you can proactively exclude other large blocks at the packet level quite broadly. The Spamhaus DROP list of criminal-controlled ranges would be the first step, as you can rely on nothing you want coming from those ranges. Next, you can look at the IPs which are doing the authentication probes and find large blocks of cheap hosting from which none of your users will ever be logging in. For example, you can count on never seeing legitimate traffic on ports 465 or 587 (or any of the POP and IMAP ports) from AWS, GCP, Linode, Digital Ocean, OVH, Alibaba, or Azure network ranges. This is a good suggestion, but do keep in mind that there can be legitimate connections from a VPS. It is, however, unlikely that one of your users would do that and if they do you can always deal with the situation when it arises. It is also helpful as a matter of system design to decouple user email addresses from their login usernames. For example, all of the email addresses I give to companies are aliases, so none of them are at all useful if compromised in a breach. The username I use to authenticate to my mail server cannot be mailed from anywhere but the mail server itself. This assures that no matter how many systems get breached where I've got an account, none of those usernames and passwords are useful to the thieves. I set this up almost 30 years ago as a spam control measure, but the greatest benefit has been in basic account security. This is good advice for the email admin personally but increases the complexity for other users to a point where it's probably not worth it, imo. To elaborate aliases are great, but trying to reject email to the primary mailbox address, or trying to force users to pick a different username to their primary mailbox email address can be problematic. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 24/05/24 02:12, Matus UHLAR - fantomas via Postfix-users wrote: Zen includes the "PBL" component, which consists largely of residential and mobile consumer IPs. Yes, but these are (usually) not considered valid clients, these should use submission/submissions(smtps) ports where reject_rbl_client and/or zen.spamhaus.orgshould not be used. And the OP is referring to SASL AUTH attacks which are for submission, not MX connections. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. On 23.05.24 07:00, Northwind via Postfix-users wrote: will this also stop the valid client's SMTP connection? thank you Wietse. On 2024-05-23 at 02:31:05 UTC-0400 (Thu, 23 May 2024 08:31:05 +0200) Matus UHLAR - fantomas via Postfix-users is rumored to have said: not, unless they are listed in zen.spamhaus.org, which should not happen. On 23.05.24 09:45, Bill Cole via Postfix-users wrote: Zen includes the "PBL" component, which consists largely of residential and mobile consumer IPs. Yes, but these are (usually) not considered valid clients, these should use submission/submissions(smtps) ports where reject_rbl_client and/or zen.spamhaus.orgshould not be used. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 2024-05-23 at 02:31:05 UTC-0400 (Thu, 23 May 2024 08:31:05 +0200) Matus UHLAR - fantomas via Postfix-users is rumored to have said: Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. On 23.05.24 07:00, Northwind via Postfix-users wrote: will this also stop the valid client's SMTP connection? thank you Wietse. not, unless they are listed in zen.spamhaus.org, which should not happen. Zen includes the "PBL" component, which consists largely of residential and mobile consumer IPs. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 2024-05-22 at 19:03:48 UTC-0400 (Thu, 23 May 2024 11:03:48 +1200) Peter via Postfix-users is rumored to have said: On 23/05/24 10:33, Northwind via Postfix-users wrote: [...] The attack continues at this time. My questions are: 1. what's the purpose of this kind of attack? Brute force password cracking, or DDoS? Likely brute force. Not exactly. "Brute force" password cracking is almost never seen today, as it has been replaced by a practice commonly called "credential stuffing" where the attacker has some large collection of known-good username+password combinations from another source (e.g. one of the many "breaches" of online systems) and is simply trying the same combinations on your system. This is a much more targeted attack and so can be slow enough to evade rate-limit based protections. This means that you need more prevention than was needed with classic brute force. An attacker may not be working from a list of random names and passwords or from common names and passwords, but from some smaller list of names and passwords specific to your domain and users, so the chances of a hit are based on whether your users use the same passwords everywhere. All the other suggestions are good, and I would add that in addition to using Geo-IP data for excluding by country or region, you can proactively exclude other large blocks at the packet level quite broadly. The Spamhaus DROP list of criminal-controlled ranges would be the first step, as you can rely on nothing you want coming from those ranges. Next, you can look at the IPs which are doing the authentication probes and find large blocks of cheap hosting from which none of your users will ever be logging in. For example, you can count on never seeing legitimate traffic on ports 465 or 587 (or any of the POP and IMAP ports) from AWS, GCP, Linode, Digital Ocean, OVH, Alibaba, or Azure network ranges. It is also helpful as a matter of system design to decouple user email addresses from their login usernames. For example, all of the email addresses I give to companies are aliases, so none of them are at all useful if compromised in a breach. The username I use to authenticate to my mail server cannot be mailed from anywhere but the mail server itself. This assures that no matter how many systems get breached where I've got an account, none of those usernames and passwords are useful to the thieves. I set this up almost 30 years ago as a spam control measure, but the greatest benefit has been in basic account security. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
That's great info from all you people. many thanks! > > On 23/05/24 19:02, Jaroslaw Rafa via Postfix-users wrote: > > > > > In addition I can add one idea: > > > > I have had quite a success with a policy server that rejects all > > connections > > > > on submission ports IF it doesn't find a currently established IMAP session > > > > from the same IP address. All "normal" mail clients (at least the ones that > > > > I saw) first establish an IMAP session with the server, and then try to > > > > authenticate with SMTP when the user wants to actually send mail. And I see > > > > much, much less attacks (authentication attempts) on IMAP service than on > > > > SMTP. So it works for me. > > > > That's a good idea, but I would make one modification, have it allow any > connection that hasn't had a corresponding IMAP (or POP3 if applicable) > connection in the past hour. > > Do note that if you have clients that submit but don't read mail themselves > then this will cause issues, an example of such being a null client such as > submitting mail from a server. > > Also this should *not* be a substitute for SASL AUTH, but rather an added > check. > > Peter > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 23/05/24 19:02, Jaroslaw Rafa via Postfix-users wrote: In addition I can add one idea: I have had quite a success with a policy server that rejects all connections on submission ports IF it doesn't find a currently established IMAP session from the same IP address. All "normal" mail clients (at least the ones that I saw) first establish an IMAP session with the server, and then try to authenticate with SMTP when the user wants to actually send mail. And I see much, much less attacks (authentication attempts) on IMAP service than on SMTP. So it works for me. That's a good idea, but I would make one modification, have it allow any connection that hasn't had a corresponding IMAP (or POP3 if applicable) connection in the past hour. Do note that if you have clients that submit but don't read mail themselves then this will cause issues, an example of such being a null client such as submitting mail from a server. Also this should *not* be a substitute for SASL AUTH, but rather an added check. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 23/05/24 16:51, Viktor Dukhovni via Postfix-users wrote: Dovecot has its own mechanism list, while Postfix has a mechanism list filter. You should be able to set: smtp_sasl_mechanism_filter = plain He's trying to prevent login on smtpd, so the setting should be smtpd_sasl_mechanism_filter. or, in dovecot.conf, set: auth_mechanisms = plain Indeed, probably both is the way to go. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Dnia 23.05.2024 o godz. 15:18:36 Northwind via Postfix-users pisze: > how to implement that a policy server? thanks. My script is very simple, I just took a sample policy server script in Perl included with Postfix distribution and added code to ask Dovecot about currently active IMAP sessions. It probably horribly bad with regard to performance as it is basically launched by Postfix everytime it is needed, but for my low volume server it is OK. However, to scale it to higher volumes, it may need to be reworked. I can send you the script offline if you wish. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
how to implement that a policy server? thanks. In addition I can add one idea: ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Dnia 23.05.2024 o godz. 11:03:48 Peter via Postfix-users pisze: > > You can implement a policy daemon (such as postfwd) which can add > limits to help in case a password does get found. This can shut > down a user account before it gets used to send too much SPAM. > > If you know that all of your users will originate in a certain > country or countries, you can use Geo-IP filtering to limit > submission connections to those countries. Note be careful not to > block port 25 connections with this and realize that if you or your > users ever intend to do any travelling this could be problematic. In addition I can add one idea: I have had quite a success with a policy server that rejects all connections on submission ports IF it doesn't find a currently established IMAP session from the same IP address. All "normal" mail clients (at least the ones that I saw) first establish an IMAP session with the server, and then try to authenticate with SMTP when the user wants to actually send mail. And I see much, much less attacks (authentication attempts) on IMAP service than on SMTP. So it works for me. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. On 23.05.24 07:00, Northwind via Postfix-users wrote: will this also stop the valid client's SMTP connection? thank you Wietse. not, unless they are listed in zen.spamhaus.org, which should not happen. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 23/05/2024 14:27, Scott Techlist via Postfix-users wrote: All of these entries are using the LOGIN mech. Unless you have an extremely old outlook express MUA (or similar) you xan and should be using the PLAIN mech. You can eliminate all of the above attacks by removing LOGIN from the list of mechs you accept. Peter: I too see a lot of these so I went to try your solution. I edited /etc/sasl2/smtpd.conf It now contains: pwcheck_method: saslauthd #mech_list: plain login mech_list: plain Restarted postfix and dovecot. But now I notice I have both LOGIN and PLAIN failures, the change I made didn't have any effect that I can see. May 22 18:40:18 tn2 postfix-submission/smtpd[6125]: warning: unknown[218.67.123.202]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 22 18:40:31 tn2 postfix-submission/smtpd[6063]: warning: unknown[60.212.0.13]: SASL PLAIN authentication failed: May 22 18:40:51 tn2 postfix-submission/smtpd[6126]: warning: unknown[41.207.248.204]: SASL PLAIN authentication failed: May 22 18:41:25 tn2 postfix-submission/smtpd[6125]: warning: unknown[109.195.69.156]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 22 18:41:41 tn2 postfix-submission/smtpd[6063]: warning: unknown[175.196.165.155]: SASL LOGIN authentication failed: Is there some place else I need to adjust that mechs I accept? Something else I need to restart? This is people/bots attempting to use your system as a relay, the authentication mechanism has nothing to do with it. Unless, of course, you have users in China, Africa, Russia, Korea, etcetera, etcetera, etcetera, who should be able to authenticate and send mail via your system. Install and use "jwhois" to find out where the attempts are probably coming from. (But you do have to keep your jwhois.conf up to date. :-) ) And read up on postscreen and implement it, before someone *does* break in. Cheers, GaryB-) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On Wed, May 22, 2024 at 11:27:15PM -0500, Scott Techlist via Postfix-users wrote: > >All of these entries are using the LOGIN mech. Unless you have an > >extremely old outlook express MUA (or similar) you xan and should be > >using the PLAIN mech. You can eliminate all of the above attacks by > >removing LOGIN from the list of mechs you accept. > > Peter: > > I too see a lot of these so I went to try your solution. I edited > /etc/sasl2/smtpd.conf > It now contains: > > pwcheck_method: saslauthd > #mech_list: plain login > mech_list: plain That's for *Cyrus* SASL, but since you mention "dovecot", perhaps you're using "dovecot" SASL, check your "smtpd_sasl_type" parameter setting. Dovecot has its own mechanism list, while Postfix has a mechanism list filter. You should be able to set: smtp_sasl_mechanism_filter = plain or, in dovecot.conf, set: auth_mechanisms = plain -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
>All of these entries are using the LOGIN mech. Unless you have an >extremely old outlook express MUA (or similar) you xan and should be >using the PLAIN mech. You can eliminate all of the above attacks by >removing LOGIN from the list of mechs you accept. Peter: I too see a lot of these so I went to try your solution. I edited /etc/sasl2/smtpd.conf It now contains: pwcheck_method: saslauthd #mech_list: plain login mech_list: plain Restarted postfix and dovecot. But now I notice I have both LOGIN and PLAIN failures, the change I made didn't have any effect that I can see. May 22 18:40:18 tn2 postfix-submission/smtpd[6125]: warning: unknown[218.67.123.202]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 22 18:40:31 tn2 postfix-submission/smtpd[6063]: warning: unknown[60.212.0.13]: SASL PLAIN authentication failed: May 22 18:40:51 tn2 postfix-submission/smtpd[6126]: warning: unknown[41.207.248.204]: SASL PLAIN authentication failed: May 22 18:41:25 tn2 postfix-submission/smtpd[6125]: warning: unknown[109.195.69.156]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 22 18:41:41 tn2 postfix-submission/smtpd[6063]: warning: unknown[175.196.165.155]: SASL LOGIN authentication failed: Is there some place else I need to adjust that mechs I accept? Something else I need to restart? Thanks, Scott ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 23/05/2024 08:33, Northwind via Postfix-users wrote: Hello list, In the last two days, my mail system (small size) met attacks. mail.log shows a lot of this stuff: May 23 06:24:29 mx postfix/smtpd[2655149]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:37 mx postfix/smtps/smtpd[2655958]: warning: unknown[111.53.52.116]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:37 mx postfix/smtpd[2655819]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:40 mx postfix/smtpd[2655040]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: Connection lost to authentication server May 23 06:24:50 mx postfix/smtps/smtpd[2656489]: warning: unknown[105.16.161.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:52 mx postfix/smtps/smtpd[2655958]: warning: unknown[59.0.60.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:54 mx postfix/smtps/smtpd[2656433]: warning: unknown[218.3.137.193]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:56 mx postfix/smtpd[2655730]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:58 mx postfix/smtpd[2654836]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 And fail2ban has dropped 2000+ black IPs: $ sudo iptables -L -n|grep DROP|wc -l 2614 The attack continues at this time. My questions are: 1. what's the purpose of this kind of attack? Brute force password cracking, or DDoS? 2. How to strengthen email system security to stop this? I use postscreen with the spamhaus/spamcop/barracudacentral lookups, as well as fail2ban. Between them a lot of these are stopped. And I manually add stuff to my badsmtp.in file, running PF on Solaris. Cheers, GaryB-) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Em 22/05/2024 19:33, Northwind via Postfix-users escreveu: Hello list, In the last two days, my mail system (small size) met attacks. mail.log shows a lot of this stuff: May 23 06:24:29 mx postfix/smtpd[2655149]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:37 mx postfix/smtps/smtpd[2655958]: warning: unknown[111.53.52.116]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:37 mx postfix/smtpd[2655819]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:40 mx postfix/smtpd[2655040]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: Connection lost to authentication server May 23 06:24:50 mx postfix/smtps/smtpd[2656489]: warning: unknown[105.16.161.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:52 mx postfix/smtps/smtpd[2655958]: warning: unknown[59.0.60.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:54 mx postfix/smtps/smtpd[2656433]: warning: unknown[218.3.137.193]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:56 mx postfix/smtpd[2655730]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:58 mx postfix/smtpd[2654836]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 And fail2ban has dropped 2000+ black IPs: $ sudo iptables -L -n|grep DROP|wc -l 2614 The attack continues at this time. My questions are: 1. what's the purpose of this kind of attack? Brute force password cracking, or DDoS? 2. How to strengthen email system security to stop this? Thanks in advance. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org Hi. I managed to drastically reduce this type of attack using the abuseIPDB[1] database (free account) + ipset + iptables. [1] https://www.abuseipdb.com/ I run a cronjob 4 times a day to add news ips to my ipset. If you want, I can send you my scripts to automate this tasks. (It's out of the scope of this list) Regards. -- _Engº Julio Cesar Covolato 0v0 /(_)\ F: 55-11-99175-9260 ^ ^ PSI INTERNET -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Good ideas. thanks a lot Peter. Things of note from the log entries above: 1/2 of the entries are from the smtp (port 25) service. This service should be for MX communication only and should not accept pauthentication. You can eliminate 1/2 of the attempts just by disabling authentication on port 25. All of these entries are using the LOGIN mech. Unless you have an extremely old outlook express MUA (or similar) you xan and should be using the PLAIN mech. You can eliminate all of the above attacks by removing LOGIN from the list of mechs you accept. You can implement a policy daemon (such as postfwd) which can add limits to help in case a password does get found. This can shut down a user account before it gets used to send too much SPAM. If you know that all of your users will originate in a certain country or countries, you can use Geo-IP filtering to limit submission connections to those countries. Note be careful not to block port 25 connections with this and realize that if you or your users ever intend to do any travelling this could be problematic. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 23/05/24 10:55, Wietse Venema via Postfix-users wrote: 2. How to strengthen email system security to stop this? Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. He's having problems with authentication attempts. This is a bad idea for submission as it would effectively block home users from submitting email. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
On 23/05/24 10:33, Northwind via Postfix-users wrote: Hello list, In the last two days, my mail system (small size) met attacks. mail.log shows a lot of this stuff: May 23 06:24:29 mx postfix/smtpd[2655149]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:37 mx postfix/smtps/smtpd[2655958]: warning: unknown[111.53.52.116]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:37 mx postfix/smtpd[2655819]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:40 mx postfix/smtpd[2655040]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: Connection lost to authentication server May 23 06:24:50 mx postfix/smtps/smtpd[2656489]: warning: unknown[105.16.161.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:52 mx postfix/smtps/smtpd[2655958]: warning: unknown[59.0.60.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:54 mx postfix/smtps/smtpd[2656433]: warning: unknown[218.3.137.193]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:56 mx postfix/smtpd[2655730]: warning: unknown[194.169.175.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 May 23 06:24:58 mx postfix/smtpd[2654836]: warning: unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 And fail2ban has dropped 2000+ black IPs: $ sudo iptables -L -n|grep DROP|wc -l 2614 The attack continues at this time. My questions are: 1. what's the purpose of this kind of attack? Brute force password cracking, or DDoS? Likely brute force. 2. How to strengthen email system security to stop this? Well you're already using fail2ban which is a good start. You can enforce good password policies )password strength). Things of note from the log entries above: 1/2 of the entries are from the smtp (port 25) service. This service should be for MX communication only and should not accept pauthentication. You can eliminate 1/2 of the attempts just by disabling authentication on port 25. All of these entries are using the LOGIN mech. Unless you have an extremely old outlook express MUA (or similar) you xan and should be using the PLAIN mech. You can eliminate all of the above attacks by removing LOGIN from the list of mechs you accept. You can implement a policy daemon (such as postfwd) which can add limits to help in case a password does get found. This can shut down a user account before it gets used to send too much SPAM. If you know that all of your users will originate in a certain country or countries, you can use Geo-IP filtering to limit submission connections to those countries. Note be careful not to block port 25 connections with this and realize that if you or your users ever intend to do any travelling this could be problematic. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
will this also stop the valid client's SMTP connection? thank you Wietse. Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Wietse Venema via Postfix-users: > Northwind via Postfix-users: > > Hello list, > > > > In the last two days, my mail system (small size) met attacks. > > > > mail.log shows a lot of this stuff: > > > > May 23 06:24:29 mx postfix/smtpd[2655149]: warning: > > unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 > > This just wastes a few CPU cycles and file system space. > > > My questions are: > > 1. what's the purpose of this kind of attack? Brute force password > > cracking, or DDoS? > > They want to use your machine to send spam to the Internet. > > > 2. How to strengthen email system security to stop this? > > Don't accept mail from home networks. For example, use "reject_dbl_client Typo: this should be reject_rbl_client. > zen.spamhaus.org". For this you must use your own DNS resolver, > not the DNSresolver from your ISP. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Northwind via Postfix-users: > Hello list, > > In the last two days, my mail system (small size) met attacks. > > mail.log shows a lot of this stuff: > > May 23 06:24:29 mx postfix/smtpd[2655149]: warning: > unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 This just wastes a few CPU cycles and file system space. > My questions are: > 1. what's the purpose of this kind of attack? Brute force password > cracking, or DDoS? They want to use your machine to send spam to the Internet. > 2. How to strengthen email system security to stop this? Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
