On 6/9/15 6:19 PM, Scott Lambert wrote:
On Tue, Jun 09, 2015 at 07:23:43PM +0000, Viktor Dukhovni wrote:
On Tue, Jun 09, 2015 at 02:26:20PM -0400, Forrest wrote:
So that log entry might be for the submission port, unless you've
configured it along the lines above.
I believe this is already set in my master.cf, which is:
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may
In that case, consider disabling SASL auth by default (main.cf),
and enabling it only for the submission service. That should
eliminate all the port 25 SASL attacks.
This is something I've recently had to do to allow mail from "the world"
while firewalling off everything except "nearby" to authenticate via the
submission port. The bruteforcers were overwhelming my authentication
database.
I just added "-o smtpd_sasl_auth_enable=no" to the smtp entry in
master.cf. This led to a lot of support calls from users with outlook
set to use port 25 for submission.
I've been looking for, but haven't found, yet, a postfix option that
would delay x seconds after a failed auth attempt. We still use
fail2ban, but the botnets are just too large.
In this scenario, it would make sense to have a throttle option /in/
Postfix (as opposed to an external tool). Or whatever other clever
mechanisms to help deal with the bots and script kiddies.
