Aug 5, 2024: iRedMail-1.7.1 has been released.

**svoboda77** · 2014-10-24 13:48:51

svoboda77
Member
Offline

Registered: 2014-10-18
Posts: 20

Topic: HOWTO: Protect against postfix AUTH DoS attacks

======== Required information ====
- iRedMail version: any
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): any
- Linux/BSD distribution name and version: any
- Related log if you're reporting an issue:
====

I have tons of

Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]

in my logs. If you are on the same boat and want to block such attacks, you can use fail2ban:

1/ add following section to the end of your /etc/fail2ban/jail.local

[postfix-auth]
enabled     = true
filter      = postfix.auth
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log

2/ create new file /etc/fail2ban/filter.d/postfix.auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

3/ Restart fail2ban. Attacker will be blocked after five attempts.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2014-10-24 14:38:42

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: HOWTO: Protect against postfix AUTH DoS attacks

Another way is simply adding 'failregex' in file /etc/fail2ban/filter.d/postfix.iredmail.conf.
I added this regular expression in iRedMail by default. Thanks for your contribution.

**Jochie** · 2015-05-15 23:04:20

Jochie
Member
Offline

Registered: 2010-09-23
Posts: 100

Re: HOWTO: Protect against postfix AUTH DoS attacks

I'd suggest to update that line to :

lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]
The unknown and EHLO also seem to flood my log files, and aren't filtered out and banned.
After updating my regex it became silent again.

**ZhangHuangbin** · 2015-05-16 08:48:33

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,094

Re: HOWTO: Protect against postfix AUTH DoS attacks

Hi Jochie,

Thanks for sharing. i added this improved regx in iRedMail, it will be available in next release.

**brainsage** · 2019-09-24 16:19:04

brainsage
Member
Offline

Registered: 2019-09-13
Posts: 3

Re: HOWTO: Protect against postfix AUTH DoS attacks

svoboda77 wrote:

======== Required information ====
- iRedMail version: any
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): any
- Linux/BSD distribution name and version: any
- Related log if you're reporting an issue:
====
I have tons of
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
in my logs. If you are on the same boat and want to block such attacks, you can use essay writing service tools and fail2ban:
1/ add following section to the end of your /etc/fail2ban/jail.local
[postfix-auth]
enabled     = true
filter      = postfix.auth
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log
2/ create new file /etc/fail2ban/filter.d/postfix.auth.conf
[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =
3/ Restart fail2ban. Attacker will be blocked after five attempts.

Hi,

I forgot to add a <host> part.
I found this in one of the comments by Dean Willis on Maxoberberger blog:
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = lost connection after AUTH from [-._\w]+\[<host>\]
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service

Aug 5, 2024: iRedMail-1.7.1 has been released.

[ Closed ] HOWTO: Protect against postfix AUTH DoS attacks

Posts: 5

1 Topic by svoboda77 2014-10-24 13:48:51

Topic: HOWTO: Protect against postfix AUTH DoS attacks

2 Reply by ZhangHuangbin 2014-10-24 14:38:42

Re: HOWTO: Protect against postfix AUTH DoS attacks

3 Reply by Jochie 2015-05-15 23:04:20 (edited by Jochie 2015-05-19 01:21:21)

Re: HOWTO: Protect against postfix AUTH DoS attacks

4 Reply by ZhangHuangbin 2015-05-16 08:48:33

Re: HOWTO: Protect against postfix AUTH DoS attacks

5 Reply by brainsage 2019-09-24 16:19:04 (edited by brainsage 2019-09-24 16:19:53)

Re: HOWTO: Protect against postfix AUTH DoS attacks

Posts: 5