At 04:03 PM 9/2/2019, Nick Howitt wrote:
Content-Type: text/html; charset=utf-8
Content-Language: en-GB
I use postfix but my plan of attack is
different. I only allow authenticated logins on
port 587 and block them on port 25. You have to
keep 25 open to receive mails from outside but
the port now becomes single purpose. Any
legitimate relaying from the inside or outside
is done through port 587 where (for the moment)
there is a lot less hacking/probing traffic.
That's basically what I want to do, but I want to restrict access to port 587.
I think I may have, at least partially done this by making these changes:
/etc/postfix/master.cf
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
# disable sasl auth on port 25
-o smtpd_sasl_auth_enable=no
# -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject
(COMMENT THIS OUT)
This seems to have stopped a whole bunch of login
attempts, but I'm still seeing a few attempts
from IP space that I've blacklisted from port 587:
Sep 2 20:42:49 hst auth: pam_unix(dovecot:auth):
authentication failure; logname= uid=0 euid=0
tty=dovecot ruser=chris12 rhost=177.66.229.44
I've basically blocked all traffic from 177.0.0.0/8 to these ports:
ftp-data,ftp,ssh,telnet,pop3,imap,submission,ftps-data,ftps,imaps,994,pop3s,sieve
So I'm not sure why I'm still occasionally seeing the attempt above?
Any ideas? There must be one hole I haven't filled.
Is there a similar smtp (non-secure) section
where I also need to add the command: smtpd_sasl_auth_enable=no under postfix?
Here's an interesting post on Stack Exchange regarding this:
https://unix.stackexchange.com/questions/145499/postfix-disable-authentication-through-port-25
The post suggests there is no easy way to disable
auth on port 25 without doing a dangerous/non-standard server configuration.
Is this true?
- Mike
Nick
On 02/09/2019 21:32, Mike wrote:
At 02:57 PM 9/2/2019, you wrote:
Hi,
>Sep 1 21:44:46 hst postfix/smtpd[28571]:
connect from unknown[101.89.216.243] Sep 1
21:44:51 hst postfix/smtpd[28571]:
warning:Â unknown[101.89.216.243]: SASL
LOGIN authentication failed: UGFje8vcmQ6
>
>What port is this being conducted on?
>
>Is this smtp port 25?
SASL is usually used on the submission port, 587.
Do you have SASL enabled on port 25? If so,
it's a good idea to only leave it enabled on port 587.
I am not sure if I do. I don't see anything
in my /etc/dovecot/dovecot.conf file relating
to sasl ports (or in any of the dovecot/conf.d/* files).
I've revised my iptables port blocking to see
if blocking 587 stops the login attempts.
Anybody know what settings in Dovecot/CentOS might relate to this?
So I assume port 587 is an alternative smtp
port, usually reserved for localized
traffic? Blocking it won't affect normal mail flow?
- Mike
_______________________________________________
Fail2ban-users mailing list
<mailto:[email protected]>[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
