Re: blocking compromised sasl users ?

Wed, 07 Oct 2015 07:15:07 -0700 




On Wednesday 07/10/2015 at 8:35 am, Voytek  wrote:

it looks like I have a couple of compromised user accounts on one of 
the
domains on this server, I've changed the user password then even 
deleted
the user (through postfixadmin) but that didn't help..? I can see in 
the

log this:

Oct  8 00:27:57 emu postfix/smtpd[7655]: 87E6B5E791:
client=unknown[104.200.78.121], sasl_method=LOGIN,
sasl_username=c...@dom.org.au
Oct  8 00:27:58 emu postfix/smtpd[7678]: 645845FCCE:
client=unknown[104.200.78.121], sasl_method=LOGIN,
sasl_username=b...@dom.org.au
Oct  8 00:28:02 emu postfix/smtpd[7678]: 3F6925FB48:
client=unknown[104.200.78.121], sasl_method=LOGIN,
sasl_username=b...@dom.org.au
Oct  8 00:28:02 emu postfix/smtpd[7655]: 56C165FD24:
client=unknown[104.200.78.121], sasl_method=LOGIN,
sasl_username=c...@dom.org.au

I've also tried adding to main.cf this "check_sasl_access
hash:/etc/postfix/sasl_access"

smtpd_recipient_restrictions =.
reject_unknown_sender_domain,
reject_unknown_recipient_domain,.
reject_non_fqdn_sender,.
reject_non_fqdn_recipient,.
reject_unlisted_recipient,.
check_policy_service inet:127.0.0.1:7777,.
permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/recipient_no_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
check_sender_access hash:/etc/postfix/sender_checks,
check_client_access hash:/etc/postfix/client_checks,
check_client_access pcre:/etc/postfix/client_checks.pcre,
reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rhsbl_sender dsn.rfc-ignorant.org,
check_policy_service inet:127.0.0.1:10031

# cat /etc/postfix/sasl_access
cas HOLD
bank HOLD
cas...@dom.org.au HOLD
bankst...@dom.org.au HOLD

but I see new log entries all the time,

what do I need to do ?

I solved our serious compromised user problems with postfwd 
rate-limiting, both per user and per IP.  when thresholds were met, 
HOLD all mail and send a alert.  I refined the per-user rate-limiting 
with multiple thresholds, by harvesting which users were legitimate 
senders of high volumes.



I also wrote little script that HOLDs any user that sends from more 
than <threshold> IPs in <x> minutes.   First, I harvested 90 days of 
logs to see which user legitimately sent from several IPs and put 
those users in a whitelist for the too-many-IPs control, but not from 
the postfwd rate-limiting controls.


Len























					Reply via email to