On 29/05/2024 14:07, Viktor Dukhovni via Postfix-users wrote:
On Wed, May 29, 2024 at 07:26:10AM -0400, John Hill via Postfix-users wrote:
The wrapper-mode TLS "smtps" rejects are naturally after the TLS
handshake.
465 inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
All set up this way.
I will let it run overnight and see what hits.
Works like a charm.
1 SASL authentication failed ---
Only one.
Perhaps a bit of luck? For me, the XBL only catches around 10% of the
SASL probes. May your luck hold up.
The majority of the probes I see that are not stopped by XBL are
relatively harmless and don't get to try the AUTH command. They mainly
come from ips that repeat in a short space of time (where potentially
fail2ban could be used) and
* fail in the starttls for protocol or cipher issues
* disconnect without issuing starttls so never get to the AUTH command
* try issuing AUTH without starttls so get disconnected for too many
invalid commands
The cases I have where AUTH has been tried and failed are relatively
few. They mainly come from fast varying ips so fail2ban is not that
useful unless I want to start banning based on a single probe. They
usually appear to target specific existing users.
John
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org