On 9/20/2019 4:12 PM, Daniel Miller wrote:
I have what seems to be a reasonably stable and functional filter
protecting my port 25 SMTP interface to the outside world. However,
most filters (including postscreen) state they are not intended for
use between MUAs and the MTA. Therefore my 587 submission port does
not have additional filters beyond TLS & SASL AUTH.
I'm seeing some higher levels of attempted logins from various
sources. Are there any automated filters that are suggested? Or do I
simply add a check_client_a_access and reference a manually
maintained blacklist?
Depending on your user base, you may be able to limit the countries
where you offer AUTH. ipdeny.com maintains lists to use with various
firewalls, and hints on how to automate updates. These lists change
from time to time, so updates are important.
You can use fail2ban or similar to auto-block IPs that fail AUTH too
many times. Be generous, legit users do surprising things.
The various rate limits described in anvil(8) can slow down a flood
of connections. Be generous, legit clients do surprising things.
http://www.postfix.org/TUNING_README.html#conn_limit
http://www.postfix.org/anvil.8.html
You can use postfwd to disable an account or firewall an IP if it
sends too much mail per time period. Again, be generous, legit users
do surprising things.
I'll caution that any of these methods can block legit mail when
used too aggressively, so start modest and work your way up.
-- Noel Jones
