MIX

--------

Topic: HOWTO: Protect against postfix AUTH DoS attacks

======== Required information ====

- iRedMail version: any

- Store mail accounts in which backend (LDAP/MySQL/PGSQL): any

- Linux/BSD distribution name and version: any

- Related log if you're reporting an issue:

I have tons of

Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]

Oct 19 06:30:49 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]

Oct 19 06:30:49 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]

Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]

in my logs. If you are on the same boat and want to block such attacks, you can use fail2ban:

1/ add following section to the end of your /etc/fail2ban/jail.local

[postfix-auth] enabled = true filter = postfix.auth action = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] # sendmail[name=Postfix, dest=you@mail.com] logpath = /var/log/mail.log

2/ create new file /etc/fail2ban/filter.d/postfix.auth.conf

[Definition] failregex = lost connection after AUTH from (.*)\[<HOST>\] ignoreregex =

3/ Restart fail2ban. Attacker will be blocked after five attempts.

---------