3

My SMTP server is being probed. It looks like a brute force attach on SASL, where they're going through a password dictionary.

Having seen thousands of these lines in the log files

Sep 18 14:09:52 xxx postfix/smtpd[7412]: connect from ca255.calcit.fastwebserver.de[146.0.42.124]
Sep 18 14:09:55 xxx postfix/smtpd[7412]: warning: ca255.calcit.fastwebserver.de[146.0.42.124]: SASL LOGIN authentication failed: authentication failure
Sep 18 14:09:55 xxx postfix/smtpd[7412]: lost connection after AUTH from ca255.calcit.fastwebserver.de[146.0.42.124]
Sep 18 14:09:55 xxx postfix/smtpd[7412]: disconnect from ca255.calcit.fastwebserver.de[146.0.42.124]

I modified my main.cf like this:

inet_interfaces = all
smtpd_sasl_auth_enable=yes
smtpd_helo_required = yes
smtpd_sender_restrictions = reject_unknown_address

smtpd_client_restrictions =  check_client_access hash:/etc/postfix/maps/access_client,
                             permit_mynetworks,
                             reject

smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/maps/access_client,
                               permit_mynetworks,
                               reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               reject_unknown_sender_domain,
                               reject_unknown_recipient_domain,
                               permit_sasl_authenticated,
                               reject_unauth_pipelining,
                               reject_unauth_destination,
                               reject_rbl_client zen.spamhaus.org,
                               reject_rbl_client list.dsbl.org
                               permit

broken_sasl_auth_clients = yes

And my /etc/postfix/maps/access_client only has this line:

146.0.42.124 REJECT

However after restarting postfix there is still no change in behaviour, I still see the same error, so SASL is still being checked, even though I thought with these settings the client would be rejected based on its IP address before SASL even comes into the game ?

A 2nd question is - I am relaying outgoing mail traffic from one machine to another on the internal network - apart from the 'relayhost' setting on the machine that just relays, can I keep the rest of the postfix settings the same on both ?

Improve this question

2 Answers 2

Reset to default
4

If you want to disable SASL AUTH for specific IPs or IP ranges without the side-effects of smtpd_delay_reject = no, take a look at the smtpd_discard_ehlo_keyword_address_maps keyword. Example configuration and explanation:

Configuration

First, we set up the keyword in /etc/postfix/main.cf:

smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_cidr

Now we define our blacklist in /etc/postfix/esmtp_cidr (the file we just specified):

# /etc/postfix/esmtp_cidr
91.200.12.0/24  auth
155.133.82.77   auth
146.0.42.124    auth

As this is a cidr: list file, no postmap run is required. But we need to tell Postfix to reload its configuration:

service postfix reload

Explanation

Now, what does that mean? For the addresses specified (either full IP or an IP range in this example), we told Postfix to disable a specific ESMTP feature: AUTH. This means, the hosts covered no longer can use SASL. Let's check the log:

Aug 11 22:37:39 xxx postfix/smtpd[32630]: connect from unknown[91.200.12.98]
Aug 11 22:37:39 xxx postfix/smtpd[32630]: discarding EHLO keywords: AUTH
Aug 11 22:37:39 xxx postfix/smtpd[32630]: lost connection after AUTH from unknown[91.200.12.98]
Aug 11 22:37:39 xxx postfix/smtpd[32630]: disconnect from unknown[91.200.12.98]

So we got what we want, without having to use smtpd_delay_reject = no, and thus don't need to fear the side-effects of the latter.

Note: the very same way you can forbid clients to use other ESMTP features, such as pipelining or starttls. A list of available keywords can e.g. be found in this Wikipedia article. Other than with smtpd_sasl_exceptions_networks, those keywords will not only not be announced, but they won't be accepted at all – as the log shows.

Improve this answer
3

Postfix doesn't evaluate the smtpd_client_restrictions until the RCPT TO (or ETRN) command is sent.

http://www.postfix.org/SMTPD_ACCESS_README.html#timing

Current Postfix versions postpone the evaluation of client, helo and sender restriction lists until the RCPT TO or ETRN command. This behavior is controlled by the smtpd_delay_reject parameter. Restriction lists are still evaluated in the proper order of (client, helo, etrn) or (client, helo, sender, relay, recipient, data, or end-of-data) restrictions. When a restriction list (example: client) evaluates to REJECT or DEFER the restriction lists that follow (example: helo, sender, etc.) are skipped.

Thus you can get around this by setting the following in your main.cf:

smtpd_delay_reject = no

 

As for your second question, there are so many controls for postfix, this is near impossible to answer without having complete details of your network, postfix configuration, and client configuration. Best way is to just try it.

Improve this answer
1
  • 1
    Good pointer which is missed in many howtos. I was about to use that – until I've read the entire section behind the link. Make sure to check the bullet-points at its end for side effects. // I wish there were a way e.g. the SASL AUTH could be "faked" in such cases, so the client is rejected at the proper place (with the proper information gathered) without being given the possibility of "brute-forcing SASL" – and without the other trade-offs mentioned. Commented Aug 11, 2017 at 18:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.