How to limit SMTP sending in a specific time

NicoB · June 13, 2024, 7:34pm

NethServer Version: 7.9.2009

Module: Antivirus, Collectd Charts, Email, Fail2Ban, Report, Webserver, Webmail.

Hi everyone, is there a method that limit the SMTP mail sending in a specific time?

I would like to protect my NS against become a spammer, I need to find the way to send no more of 200 messages per hour.

Somebody can tell me how to get it?

Thanks in advance.

Nico

stephdl · June 14, 2024, 5:27am

I recall a jail of fail2ban that can does it. It is enabled but I do not recall how many email per hour you can do it

stephdl · June 14, 2024, 5:30am

github.com

NethServer/nethserver-fail2ban/blob/master/root/etc/e-smith/templates/etc/fail2ban/jail.local/10Postfix

{
    use NethServer::Fail2Ban;
    return ("\n#postfix not used on this server\n") if (! NethServer::Fail2Ban::listPostfixJails());
    my $port = $postfix{TCPPorts}|| '25,465,587';
    my $maxretry = $fail2ban{Postfix_MaxRetry} || $fail2ban{MaxRetry} || '3';
    my $postfixSaslAbuseMaxRetry = $fail2ban{PostfixSaslAbuse_MaxRetry} || $maxretry*33 || '100';
    my $ignoreipSaslAbuse = $localAccess.','.($fail2ban{PostfixSaslAbuse_IgnoreIP}||'');
    $ignoreipSaslAbuse =~ s/,/ /g;

    foreach (NethServer::Fail2Ban::listPostfixJails()) {
        $OUT .= "\n[$_]\n";
        $OUT .= "enabled = true\n";
        $OUT .= "port = $port\n";
        $OUT .= "logpath = /var/log/maillog\n";
        if ( $_ eq 'postfix-sasl-abuse') {
            $OUT .= "maxretry = $postfixSaslAbuseMaxRetry\n";
            $OUT .= "ignoreip = $ignoreipSaslAbuse\n\n";
        } else {
            $OUT .= "maxretry = $maxretry\n\n";
        }

This file has been truncated. show original

stephdl · June 14, 2024, 5:35am

github.com

NethServer/nethserver-fail2ban/blob/master/root/etc/fail2ban/filter.d/postfix-sasl-abuse.conf

# Fail2Ban filter for postfix authentication abuse
# Find good smtpd sasl authentification and ban the IP in case of abuse (33*MaxRetry)
# author stephane de Labrusse <stephdl@de-labrusse.fr>

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

failregex = ^%(__prefix_line)s.*\[<HOST>\], sasl_method=(LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5), sasl_username=\S+$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

This file has been truncated. show original

stephdl · June 14, 2024, 5:37am

The count is 33 x the maxtime per the findtime

So set the findtime to one hour and the maxretry to 6

If a user try to send more than the authorized quota then it is banned for a while. For what I recall the localhost is whitelisted

stephdl · June 14, 2024, 5:39am

@davidep we should think to protect NS8 like we did for NS7

davidep · June 14, 2024, 7:34am

I’m afraid we are off-topic with NS8 here.

I would like to protect my NS against become a spammer, I need to find the way to send no more of 200 messages per hour.

This seems to me a request for outbound messages rate limit. It is not about banning IPs for auth failures with Fail2Ban.

Maybe Postfix has a sending rate limit that can be set with a custom config?

stephdl · June 14, 2024, 7:36am

there is no errors, only a grep line that a user does when he sends an email

NicoB · June 14, 2024, 7:49am

I’ll try to explain myself better, let’s say that my NS is hacked and the attacker uses it to shoot spam emails all over the internet. To limit the damage I would like to set a limit on hourly sending regardless of the IP from which it comes.

stephdl · June 14, 2024, 8:08am

I will try to check what postfix can do for you however with fail2ban, the hacker is completely ban from server, any ressources.

it does not take account about what is sent from a web application

NicoB · June 14, 2024, 8:39am

In the meantime, I thank you.
fail2ban is very useful in case of attack attempts due to the blocking it applies, but it cannot do anything in case of theft of valid credentials.
For this reason I would like to limit the maximum number of messages that can be sent, for example, per hour

Andy_Wismer · June 14, 2024, 8:50am

Hi @NicoB

Best would be to monitor the Mail-Queue.
Limiting without real reason can also limit legit info mailing to clients (example).

Wheras, when a spammer strikes, the mail queue is always filled up. If it’s full, and you are not aware of a reason, it’s spam and can be emptied (mailqueue) and repaired / excluded whatever. Often this comes from compromised or to easy access credentials.

Zabbix, on NS8, would be a nice option for this…

Postfix also has limiting options…
See here for some ideas:

My 2 cents
Andy

NicoB · June 19, 2024, 4:42pm

Finally I’m come back,
thank you Andy!

I think that’s correct that you say, I’ll try to setup the first suggest and then will inform you about the results

Have a good evening

LayLow · June 19, 2024, 5:22pm

And a warm welcome to you!

stephdl · July 2, 2024, 4:52pm

I gave it a try it seems not so hard to add a rate limit, maybe a bit basic

but add this setting and you will send one email per 30 seconds, if you want 200 emails per hour, set it to 18s

smtp_destination_rate_delay = 30s

smtp_destination_rate_delay: Postfix doc says “The default amount of delay that is inserted between individual deliveries over the same message delivery transport, regardless of destination”. In the setting above, I added a “wait time” of 30s second before the next e-mail should be delivered. The default is “0s” which means no delay between sending mails.
This setting slows down the sending a lot

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf/
echo "### rate limit to send email 
smtp_destination_rate_delay = 30s" >  /etc/e-smith/templates-custom/etc/postfix/main.cf/45ratelimitperhour && signal-event nethserver-mail-server-save

emails are stored to queue and are waiting to be sent

cc @davidep

we could add also

smtp_destination_concurrency_limit = 2 # default 20

smtp_destination_concurrency_limit: As per the Postfix documentation: “The maximal number of parallel deliveries to the same destination via the smtp message delivery transport.” Example: If your mail server sends mails to several gmail.com recipients, Postfix will only deliver two mails at the same time. The default is 20. This could also be set with default_destination_concurrency_limit.
This setting is particularly helpful in case a spammer bombards a certain domain. Often the recipient mail server then refuses the sent mails (your real mails as well) with a 421, 450 or 451 SMTP response that you’re sending too many mails too quickly.

This could be interesting too for reducing the number of recipient of an email for example if you send an email with 20 recipients, it should send several email and be limited by the rate limit

smtp_destination_recipient_limit (default: $default_destination_recipient_limit)
The maximal number of recipients per message for the smtp message delivery transport. This limit is enforced by the queue manager. The message delivery transport name is the first field in the entry in the master.cf file.

Setting this parameter to a value of 1 changes the meaning of smtp_destination_concurrency_limit from concurrency per domain into concurrency per recipient.

davidep · July 3, 2024, 6:52am

Good catch!

It should be templates-custom, and mkdir -p is required for that.

Please fix the script!

stephdl · July 4, 2024, 6:30am

should be good, we use custom template, this could be nice for NS8