• Slavko via Exim-users [2022-06-24 06:08]: [...] > That is pretty simple, just add this IP to firewall's DROP. To automatize > its banning, use fail2ban. But be aware, that they will often try from > other IP soon. I have 100 - 800 different IPs per day, most of them > has only one attempt allowed here, it is some thousands of IPs in last > 24 days (maximum ipset timeout) from whole word.
I've found AuthBL from Spamhaus and Abusix to be very useful. Anything blocked attempts from anything listed there is getting added to host's firewall within 5 mins (to avoid logspam): acl_check_auth: deny !encrypted = * message = Server policy requires encrypted connection accept hosts = +relay_hosts : +permit_hosts deny message = Sender host blocked (source: DNS) log_message = Sender host blocked (source: AuthBL) dnslists = +exclude_unknown : XYZ.authbl.dq.spamhaus.net delay = 60s deny message = Sender host blocked (source: DNS) log_message = Sender host blocked (source: Abusix) dnslists = +exclude_unknown : XYZ.authbl.mail.abusix.zone delay = 60s accept > I am happy, that i long time ago decided to separate MX & MSA roles > even for my small email system, which allow me simple reject > "EHLO User" (and other strict rules) on MX port's 25, which are common > on MSA. I tend to make my MUAs say "EHLO there" or "EHLO world" :) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/