On Tue, 3 Sep 2019 at 02:55, Mike <[email protected]> wrote: > At 04:03 PM 9/2/2019, Nick Howitt wrote: > > I use postfix but my plan of attack is different. I only allow > authenticated logins on port 587 and block them on port 25. You have to > keep 25 open to receive mails from outside but the port now becomes single > purpose. Any legitimate relaying from the inside or outside is done through > port 587 where (for the moment) there is a lot less hacking/probing traffic. > > > That's basically what I want to do, but I want to restrict access to port > 587. > > I think I may have, at least partially done this by making these changes: > > /etc/postfix/master.cf > > smtps inet n - n - - smtpd > -o syslog_name=postfix/smtps > # disable sasl auth on port 25 > -o smtpd_sasl_auth_enable=no > # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > (COMMENT THIS OUT) > > This seems to have stopped a whole bunch of login attempts, but I'm still > seeing a few attempts from IP space that I've blacklisted from port 587...So > I'm not sure why I'm still occasionally seeing the attempt above?.. Is > there a similar smtp (non-secure) section where I also need to add the > command: smtpd_sasl_auth_enable=no under postfix? > > Here's an interesting post on Stack Exchange regarding this: > > > https://unix.stackexchange.com/questions/145499/postfix-disable-authentication-through-port-25 > > The post suggests there is no easy way to disable auth on port 25 without > doing a dangerous/non-standard server configuration. Is this true? >
No it isn't. This is a postfix discussion and you would get much better info by looking at postfix documentation (esp http://www.postfix.org/postconf.5.html) and/or on the postfix users mailing list. Anyway: SASL is blocked by default on any port unless you enable it with smtpd_sasl_auth_enable=yes Port smtps is 465, not 25 (465 can be used for AUTH if you like but using smtpd_tls_wrappermode=yes.) The port you want to alter is 'smtp' i.e. 25 (as the first word on the line - with 'smtpd' as the last). If this (in master.cf) contains parameter smtpd_sasl_auth_enable=yes then remove it. This should leave 587 ('submission') and maybe 465 ('smtps') as the ports for SASL. A thought: it can be helpful to users to harvest the password attempts by spammers as this can reveal leaked passwords - not from your installation but from elsewhere on the web.
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
