I missed to enable some jails in Fail2ban, thank to @gabriele_bulfon, I took a look…yeah holidays are over
- postfix-sasl
this jail is official, the goal is to ban remote IP who try to send email from your server smtp service, after a number of bad password attempts, we ban them.
- postfix-sasl-abuse
This is what gabriele makes me think about, it is a special need they have at sonicle (webtop developers). In short if the login/password of your account is stolen, then a spammer can abuse your server, send a lot of spam and compromise your IP reputation to the blacklist organization.
we have several ways to do it
- smtpd_client_message_rate_limit = 10 # after 10 email the email are paused and an error occurs in logs…but if you are not aware the spammer can still abuse your server.
- Use a custom jail to find good authentication, ban the IP if we find more of 100 connections/10minutes or like gabriele would like to do, push the login of the user in a file to reject the smtpd connection : see http://www.postfix.org/SASL_README.html#server_sasl_other
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
…
check_sasl_access hash:/etc/postfix/sasl_access
…
…
this feature is not enabled in our postfix configuration, but I bet than to ban the IP is good also.
what do you think @dev_team ???
From what I tested the postfix-sasl-abuse jail is trivial if we ban the IP, if we want to ban the account, then it could be a bit harder