After installing Postfix on a new VPS I noticed that server was under continuous attack by people trying to use it as an open relay. The server obviously was configured not to allow relaying for external parties so they were politely shown the door by Postfix:
[code]
Oct 14 10:51:03 h2621265 postfix/smtpd[12328]: NOQUEUE: reject: RCPT from 118-161-242-211.dynamic.hinet.net[118.161.242.211]: 454 4.7.1 <y_hsai@yahoo.com.tw>: Relay access denied; from=<tpejwewllxa@hotmail.com> to=<y_hsai@yahoo.com.tw> proto=SMTP helo=<85.214.98.72>
Oct 14 10:51:04 h2621265 postfix/smtpd[12328]: NOQUEUE: reject: RCPT from 118-161-242-211.dynamic.hinet.net[118.161.242.211]: 454 4.7.1 <yea3388@yahoo.com.tw>: Relay access denied; from=<tpejwewllxa@hotmail.com> to=<yea3388@yahoo.com.tw> proto=SMTP helo=<85.214.98.72>
Oct 14 10:51:04 h2621265 postfix/smtpd[12328]: NOQUEUE: reject: RCPT from 118-161-242-211.dynamic.hinet.net[118.161.242.211]: 454 4.7.1 <svfj@yahoo.com.tw>: Relay access denied; from=<tpejwewllxa@hotmail.com> to=<svfj@yahoo.com.tw> proto=SMTP helo=<85.214.98.72>
Oct 14 10:51:04 h2621265 postfix/smtpd[12328]: NOQUEUE: reject: RCPT from 118-161-242-211.dynamic.hinet.net[118.161.242.211]: 454 4.7.1 <yuki1019@yahoo.com.tw>: Relay access denied; from=<tpejwewllxa@hotmail.com> to=<yuki1019@yahoo.com.tw> proto=SMTP helo=<85.214.98.72>
Oct 14 10:51:04 h2621265 postfix/smtpd[12328]: NOQUEUE: reject: RCPT from 118-161-242-211.dynamic.hinet.net[118.161.242.211]: 454 4.7.1 <yoyoann2003@yahoo.com.tw>: Relay access denied; from=<tpejwewllxa@hotmail.com> to=<yoyoann2003@yahoo.com.tw> proto=SMTP helo=<85.214.98.72>
Oct 14 10:51:05 h2621265 postfix/smtpd[12328]: NOQUEUE: reject: RCPT from 118-161-242-211.dynamic.hinet.net[118.161.242.211]: 454 4.7.1 <voodiee@yahoo.com.tw>: Relay access denied; from=<tpejwewllxa@hotmail.com> to=<voodiee@yahoo.com.tw> proto=SMTP helo=<85.214.98.72>
Oct 14 10:51:05 h2621265 postfix/smtpd[12328]: NOQUEUE: reject: RCPT from 118-161-242-211.dynamic.hinet.net[118.161.242.211]: 454 4.7.1 <xt11010@yahoo.com.tw>: Relay access denied; from=<tpejwewllxa@hotmail.com> to=<xt11010@yahoo.com.tw> proto=SMTP helo=<85.214.98.72>
[/code]
However since there were a lot of them (sometimes five per second) my logfiles were growing rapidly and Postfix was being kept quite busy. I had installed Fail2ban, which is a program that reads logfiles and takes (mostly iptables) action upon certain repeated entries, for example
I wanted to use Fail2ban to block IPs that kept trying to relay mail from outside.
In /etc/fail2ban/jail.local find the Postfix section:
[code]
[postfix]
enabled = false
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log
[/code]
Change false to true.
In /etc/fail2ban/filter.d/postfix.conf find
[code]
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
[/code]
Directly underneath add a new regex, so that it reads:
[code]
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
^%(__prefix_line)sNOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 454 4\.7\.1\.*
[/code]
Now restart Fail2ban:
[code]
# service fail2ban restart
[/code]
Watch the offenders being blocked before they even hit Postfix:
[code]
# watch -d -n 10 fail2ban-client status postfix
[/code]
Looks like this at my server:
[code]
Every 10,0s: fail2ban-client status
Status for the jail: postfix
|- filter
| |- File list: /var/log/mail.log
| |- Currently failed: 13
| `- Total failed: 945
`- action
|- Currently banned: 10
| `- IP list: 118.161.240.209 220.137.6.52 118.160.212.70 111.249.36.242 1.164.192.181 220.137.12.173 118.161.244.142 114.37.190.125 118.161.244.247 114.43.248.21
`- Total banned: 72
[/code]
Those addresses get a time out of ten minutes before they are allowed to try again.
Bonus: check out the recidive jail in Fail2ban. If an address is found to get blocked again and again it gets sentenced to longer jail time, like a week or a month.
No more relay hammering storm on my server!
How to regex for it:
Jul 12 17:35:08 mail postfix/smtp[2411]: 6CF7B9C65: to=, relay=smtpin02.vzw.a.cloudfilter.net[52.11.98.232]:25, delay=114709,delays=114313/375/20/0.23, dsn=4.1.0, status=deferred (host smtpin02.vzw.a.cloudfilter.net[52.11.98.232] said: 452 4.1.0 requested action aborted: try again later (in reply to MAIL FROM command))
Jul 12 17:35:08 mail postfix/smtp[2676]: 66F605289: to=, relay=mx3b.txt.att.net[166.216.152.132]:25, delay=3687, delays=3292/392/3.8/0.24, dsn=4.1.0, status=deferred (host mx3b.txt.att.net[166.216.152.132] said: 452 4.1.0 requested action aborted: try again later (in reply to MAIL FROM command))
I’m no regex master but try ^*.dsn=4\.1\.0.*$
Hello all ,
You can add jails for sasl too.
Regards
Laurent