MIX
--------
Topic: HOWTO: Protect against postfix AUTH DoS attacks
======== Required information ====
- iRedMail version: any
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): any
- Linux/BSD distribution name and version: any
- Related log if you're reporting an issue:
I have tons of
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
in my logs. If you are on the same boat and want to block such attacks, you can use fail2ban:
1/ add following section to the end of your /etc/fail2ban/jail.local
[postfix-auth] enabled = true filter = postfix.auth action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] # sendmail[name=Postfix, dest=you@mail.com] logpath = /var/log/mail.log
2/ create new file /etc/fail2ban/filter.d/postfix.auth.conf
[Definition] failregex = lost connection after AUTH from (.*)\[<HOST>\] ignoreregex =
3/ Restart fail2ban. Attacker will be blocked after five attempts.
---------