How to limit SMTP sending in a specific time

NicoB · June 13, 2024, 7:34pm

NethServer Version: 7.9.2009

Module: Antivirus, Collectd Charts, Email, Fail2Ban, Report, Webserver, Webmail.

Hi everyone, is there a method that limit the SMTP mail sending in a specific time?

I would like to protect my NS against become a spammer, I need to find the way to send no more of 200 messages per hour.

Somebody can tell me how to get it?

Thanks in advance.

Nico

stephdl · June 14, 2024, 5:27am

I recall a jail of fail2ban that can does it. It is enabled but I do not recall how many email per hour you can do it

stephdl · June 14, 2024, 5:30am

github.com

NethServer/nethserver-fail2ban/blob/master/root/etc/e-smith/templates/etc/fail2ban/jail.local/10Postfix

{
    use NethServer::Fail2Ban;
    return ("\n#postfix not used on this server\n") if (! NethServer::Fail2Ban::listPostfixJails());
    my $port = $postfix{TCPPorts}|| '25,465,587';
    my $maxretry = $fail2ban{Postfix_MaxRetry} || $fail2ban{MaxRetry} || '3';
    my $postfixSaslAbuseMaxRetry = $fail2ban{PostfixSaslAbuse_MaxRetry} || $maxretry*33 || '100';
    my $ignoreipSaslAbuse = $localAccess.','.($fail2ban{PostfixSaslAbuse_IgnoreIP}||'');
    $ignoreipSaslAbuse =~ s/,/ /g;

    foreach (NethServer::Fail2Ban::listPostfixJails()) {
        $OUT .= "\n[$_]\n";
        $OUT .= "enabled = true\n";
        $OUT .= "port = $port\n";
        $OUT .= "logpath = /var/log/maillog\n";
        if ( $_ eq 'postfix-sasl-abuse') {
            $OUT .= "maxretry = $postfixSaslAbuseMaxRetry\n";
            $OUT .= "ignoreip = $ignoreipSaslAbuse\n\n";
        } else {
            $OUT .= "maxretry = $maxretry\n\n";
        }

This file has been truncated. show original

stephdl · June 14, 2024, 5:35am

github.com

NethServer/nethserver-fail2ban/blob/master/root/etc/fail2ban/filter.d/postfix-sasl-abuse.conf

# Fail2Ban filter for postfix authentication abuse
# Find good smtpd sasl authentification and ban the IP in case of abuse (33*MaxRetry)
# author stephane de Labrusse <stephdl@de-labrusse.fr>

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

failregex = ^%(__prefix_line)s.*\[<HOST>\], sasl_method=(LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5), sasl_username=\S+$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

This file has been truncated. show original

stephdl · June 14, 2024, 5:37am

The count is 33 x the maxtime per the findtime

So set the findtime to one hour and the maxretry to 6

If a user try to send more than the authorized quota then it is banned for a while. For what I recall the localhost is whitelisted

stephdl · June 14, 2024, 5:39am

@davidep we should think to protect NS8 like we did for NS7

davidep · June 14, 2024, 7:34am

I’m afraid we are off-topic with NS8 here.

I would like to protect my NS against become a spammer, I need to find the way to send no more of 200 messages per hour.

This seems to me a request for outbound messages rate limit. It is not about banning IPs for auth failures with Fail2Ban.

Maybe Postfix has a sending rate limit that can be set with a custom config?

stephdl · June 14, 2024, 7:36am

there is no errors, only a grep line that a user does when he sends an email

NicoB · June 14, 2024, 7:49am

I’ll try to explain myself better, let’s say that my NS is hacked and the attacker uses it to shoot spam emails all over the internet. To limit the damage I would like to set a limit on hourly sending regardless of the IP from which it comes.

stephdl · June 14, 2024, 8:08am

I will try to check what postfix can do for you however with fail2ban, the hacker is completely ban from server, any ressources.

it does not take account about what is sent from a web application

NicoB · June 14, 2024, 8:39am

In the meantime, I thank you.
fail2ban is very useful in case of attack attempts due to the blocking it applies, but it cannot do anything in case of theft of valid credentials.
For this reason I would like to limit the maximum number of messages that can be sent, for example, per hour

Andy_Wismer · June 14, 2024, 8:50am

Hi @NicoB

Best would be to monitor the Mail-Queue.
Limiting without real reason can also limit legit info mailing to clients (example).

Wheras, when a spammer strikes, the mail queue is always filled up. If it’s full, and you are not aware of a reason, it’s spam and can be emptied (mailqueue) and repaired / excluded whatever. Often this comes from compromised or to easy access credentials.

Zabbix, on NS8, would be a nice option for this…

Postfix also has limiting options…
See here for some ideas:

My 2 cents
Andy

NicoB · June 19, 2024, 4:42pm

Finally I’m come back,
thank you Andy!

I think that’s correct that you say, I’ll try to setup the first suggest and then will inform you about the results

Have a good evening

LayLow · June 19, 2024, 5:22pm

And a warm welcome to you!