Re: postfix/smtpd connections from unknown users. Dealing with same?

2016-03-08 Thread Robert Chalmers
Yes, I am using postscreen.

So I’m presuming that’s enough.

postconf -n | grep postscreen

postscreen_access_list = permit_mynetworks, 
cidr:/usr/local/etc/postfix/postscreen_access.cidr, 
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_ttl = 30d
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 12h
postscreen_cache_map = btree:$data_directory/postscreen_cache
postscreen_cache_retention_time = 7d
postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
postscreen_command_count_limit = 20
postscreen_command_filter =
postscreen_command_time_limit = ${stress?10}${stress:300}s
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_discard_ehlo_keyword_address_maps = 
$smtpd_discard_ehlo_keyword_address_maps
postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/usr/local/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org*3, bl.mailspike.net*2, 
b.barracudacentral.org*2, bl.spameatingmonkey.net, bl.spamcop.net, 
dnsbl.sorbs.net, psbl.surriel.com, swl.spamhaus.org*-4, 
list.dnswl.org=127.[0..255].[0..255].0*-2, 
list.dnswl.org=127.[0..255].[0..255].1*-3, 
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4, 
wl.mailspike.net=127.0.0.[17;18]*-1, wl.mailspike.net=127.0.0.[19;20]*-2, 
ix.dnsbl.manitu.net, bl.blocklist.de, list.dnswl.org=127.0.[0..255].0*-1, 
list.dnswl.org=127.0.[0..255].1*-2, list.dnswl.org=127.0.[0..255].[2..3]*-3, 
iadb.isipp.com=127.0.[0..255].[0..255]*-2, 
iadb.isipp.com=127.3.100.[6..200]*-2, wl.mailspike.net=127.0.0.[17;18]*-1, 
wl.mailspike.net=127.0.0.[19;20]*-2
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 1h
postscreen_dnsbl_whitelist_threshold = -4
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_expansion_filter = $smtpd_expansion_filter
postscreen_forbidden_commands = $smtpd_forbidden_commands
postscreen_greet_action = enforce
postscreen_greet_banner = Bienvenue et merci d'attendre qu'on vous assigne une 
place
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:6}s
postscreen_helo_required = $smtpd_helo_required
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
postscreen_pipelining_ttl = 30d
postscreen_post_queue_limit = $default_process_limit
postscreen_pre_queue_limit = $default_process_limit
postscreen_reject_footer = $smtpd_reject_footer
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
postscreen_watchdog_timeout = 10s




> On 8 Mar 2016, at 16:37, @lbutlr  wrote:
> 
> On Mar 8, 2016, at 9:15 AM, Robert Chalmers  wrote:
>> I can put them in a postfix blacklist. And possible write a script to update 
>> the list on a daily basis as more are added.
> 
> Are you using postscreen? If not, you should. You’ll see dogs like:
> 
> Mar  8 09:35:20 mail postfix/postscreen[78466]: CONNECT from 
> [196.207.111.150]:55638 to [65.121.55.42]:25
> Mar  8 09:35:21 mail postfix/postscreen[78466]: PREGREET 22 after 0.87 from 
> [196.207.111.150]:55638: HELO 196.207.111.150\r\n
> Mar  8 09:35:21 mail postfix/postscreen[78466]: DNSBL rank 9 for 
> [196.207.111.150]:55638
> Mar  8 09:35:22 mail postfix/postscreen[78466]: NOQUEUE: reject: RCPT from 
> [196.207.111.150]:55638: 450 4.7.1 Service unavailable; client 
> [196.207.111.150] blocked using zen.spamhaus.org; from=<>, to=<*munged*>, 
> proto=SMTP, helo=<196.207.111.150>
> Mar  8 09:35:23 mail postfix/postscreen[78466]: HANGUP after 1.7 from 
> [196.207.111.150]:55638 in tests after SMTP handshake
> 
> If you want to blacklist them, you should look at something like sshguard.
> 
> -- 
> Behind every great man there's a woman with a vibrator -- Hawkeye Pierce
> 

Robert Chalmers
rob...@chalmers.com .au  Quantum Radio: 
http://tinyurl.com/lwwddov
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  
XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. 
Lower Bay






Re: postfix/smtpd connections from unknown users. Dealing with same?

2016-03-08 Thread @lbutlr
On Mar 8, 2016, at 9:15 AM, Robert Chalmers  wrote:
> I can put them in a postfix blacklist. And possible write a script to update 
> the list on a daily basis as more are added.

Are you using postscreen? If not, you should. You’ll see dogs like:

Mar  8 09:35:20 mail postfix/postscreen[78466]: CONNECT from 
[196.207.111.150]:55638 to [65.121.55.42]:25
Mar  8 09:35:21 mail postfix/postscreen[78466]: PREGREET 22 after 0.87 from 
[196.207.111.150]:55638: HELO 196.207.111.150\r\n
Mar  8 09:35:21 mail postfix/postscreen[78466]: DNSBL rank 9 for 
[196.207.111.150]:55638
Mar  8 09:35:22 mail postfix/postscreen[78466]: NOQUEUE: reject: RCPT from 
[196.207.111.150]:55638: 450 4.7.1 Service unavailable; client 
[196.207.111.150] blocked using zen.spamhaus.org; from=<>, to=<*munged*>, 
proto=SMTP, helo=<196.207.111.150>
Mar  8 09:35:23 mail postfix/postscreen[78466]: HANGUP after 1.7 from 
[196.207.111.150]:55638 in tests after SMTP handshake

If you want to blacklist them, you should look at something like sshguard.

-- 
Behind every great man there's a woman with a vibrator -- Hawkeye Pierce



Re: postfix/smtpd connections from unknown users. Dealing with same?

2016-03-08 Thread Wietse Venema
Robert Chalmers:
> This afternoon, over the course of about 4 hours, I?ve logged 741
> connections like this.
> 
> Mar  8 15:05:46 zeus postfix/smtpd[92324]: connect from unknown[185.130.5.90]
> Mar  8 15:07:30 zeus postfix/smtpd[92616]: connect from 
> unknown[131.161.138.190]
> Mar  8 15:07:39 zeus postfix/smtpd[92324]: connect from 
> unknown[113.160.205.81]
> Mar  8 15:07:45 zeus postfix/smtpd[92616]: connect from 
> unknown[181.142.12.223]
> Mar  8 15:08:00 zeus postfix/smtpd[92324]: connect from unknown[181.168.4.42]
> Mar  8 15:08:00 zeus postfix/smtpd[93053]: connect from 
> unknown[116.105.182.54]

If the load bothers you, let it be handled by postscreen with a few
good DNSBLs (on my machine, that eliminates 90% of inbound SMTP
connections; only 10% end up talking to an smtpd process).

> So, is the best way of dealing with this list of numbers, and I
> can extract - and have extracted - just the ip numbers.

Don't waste your time. The odds that the same client keeps coming
back are small.

Wietse