On Wed, Oct 23, 2024 at 10:51:38AM +0300, Ivan Ionut via Postfix-users wrote:
> 2) I have two lists of ipsets ip and ip-cidr blocked for ports
> 110,143,993,995,465 - daily updated with a custom script
That's too tedious to maintain. You can block known compromised SASL
attempts on submission via the XBL, by setting "smtpd_delay_reject=no"
and adding an RBL lookup to the client restrictions.
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
-o always_add_missing_headers=yes
-o header_checks=
-o body_checks=
...
For fresh sources, use fail2ban, with a very short TTL (around an hour),
to minimise collateral damage. Or don't bother, if you don't have
logins with weak passwords.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
