Protecting postfix from bruteforce attacks

postfixSecuritysmtp

a few days ago I've set up a VPS, including personal SMTP service using postfix + procmail under Debian / Wheezy.

I am already seeing a LOT of hammering onto the SMTP and other ports. Here's an excerpt:

Jul 31 09:06:25 [myserver] postfix/smtpd[15372]: warning: mail.thethirdroom.org[81.137.228.117]: SASL LOGIN authentication failed: authentication failure
Jul 31 10:00:02 [myserver] postfix/smtpd[20616]: warning: host245-192-static.36-88-b.business.telecomitalia.it[88.36.192.245]: SASL LOGIN authentication failed: authentication failure

There are multiple login attempts per second. Now, I am running sshguard to keep people from bruteforcing there (except if it was a distributed attempt), but postfix is still kind of vulnerable since sshguard does not support that.

Can anyone hint me at how to make this thing more secure?

Thanks a lot!

TL;DR: SMTP server getting hammered, would like to ban IPs after n faulty attempts.

Best Answer

Check out this tool Fail2Ban, it scans log files for malicious activity and fires off an event. There is bottled event handlers like creating a firewall to reject the offending IP, or you can make your own custom event handlers.

Related Solutions

Postfix filter incoming mails based on ‘mail from’ and ‘rcpt to’

Add in a restriction class. For example:

/etc/postfix/main.cf:
smtpd_recipient_restrictions =
    check_recipient_access hash:/etc/postfix/recipient_access

smtpd_restriction_classes = no_russians
no_russians = check_sender_access pcre:/etc/postfix/no_russians


/etc/postfix/recipient_access:
recipient1@mydomain.com     no_russians
recipient2@mydomain.com     no_russians

/etc/postfix/no_russians:
/\.ru$/ REJECT

postfix – Prevent Users from Changing Real Email Address

Have a look at the smtpd_sender_restrictions and smtpd_sender_login_maps settings. The former can prevent malformed from addresses, while the latter can force the sender address to match the login name.

# Prevent malformed senders
smtpd_sender_restrictions =
    reject_non_fqdn_sender       # Ensure correct mail addresses
    reject_unknown_sender_domain # Ensure sender address is from an existing domain
    reject_authenticated_sender_login_mismatch # Check if the user is 
                                 # allowed to use this sender address

# Maps used to stop sender address forgeries.
smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre

The contents of login_maps.pcre could be

# Use this regex if your users are local users, i.e. if the login name
# is just the username, not a full mail address.
# Note that literal dots have to be backslash escaped (`\.`) to avoid
# interpretation of these dots as regex wildcard.
/^([^@+]*)(\+[^@]*)?@example\.com$/ ${1}

# If one doesn't care about subaddresses, this could be simplified to
/^(.*)@example\.com/ ${1}

# This is appropriate if you have virtual users who login with their
# full mail address as their username.  Local addresses won't work, though
/^(.*)$/    ${1}

The above config assumes that postfix was compiled with support for PCRE. On Ubuntu/Debian, this requires the postfix-pcre package to be installed.

Note that this will only work if nobody but authenticated users can send mail. If you allow mail from unauthenticated users, the above method won't help and will fail. Make sure to read Rui F Ribeiro's answer if that's the case.

Best Answer

Related Solutions

Postfix filter incoming mails based on ‘mail from’ and ‘rcpt to’

postfix – Prevent Users from Changing Real Email Address

Related Question