1 Topic by ghost

  • ghost
  • Member
  • Offline
  • Registered: 2020-04-27
  • Posts: 4

Topic: postscreen filter fail2ban optimization help

- iRedMail 1.1 openldap edition
- downloadable installer
- Debian GNU/Linux 10 (buster)
- backend (LDAP)
- Web server (Nginx)


I have too many postsreen msg (automated bots), see below, please. I do not know, how to optimize it better.

I have added this filter to fail2ban jail postfix-iredmail:

failregex = postfix.postscreen.* DNSBL .* for \[<HOST>\]:

here is log:
--------------------- Postfix Begin ------------------------

       30   Miscellaneous warnings                          30

      260   Rejected                                   100.00%
--------   --------------------------------------------------
      260   Total                                      100.00%
========   ==================================================

      140   5xx Reject relay denied                     53.85%
       63   5xx Reject HELO/EHLO                        24.23%
       56   5xx Reject unknown user                     21.54%
        1   5xx Reject recipient address                 0.38%
--------   --------------------------------------------------
      260   Total 5xx Rejects                          100.00%
========   ==================================================

        3   4xx Reject HELO/EHLO                       100.00%
--------   --------------------------------------------------
        3   Total 4xx Rejects                          100.00%
========   ==================================================

      359   Connections                                    359
      280   Connections lost (inbound)                     280
      359   Disconnections                                 359
    16375   Postscreen                                  16,375

        2   Connection failures (outbound)                   2
       62   Timeouts (inbound)                              62
        8   Hostname verification errors (FCRDNS)            8
        2   TLS connections (server)                         2
        1   TLS connections (client)                         1

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postscreen filter fail2ban optimization help

iRedMail ships /etc/fail2ban/jail.d/postfix-pregreet.local to catch this.

3 Reply by ghost

  • ghost
  • Member
  • Offline
  • Registered: 2020-04-27
  • Posts: 4

Re: postscreen filter fail2ban optimization help

ZhangHuangbin wrote:

iRedMail ships /etc/fail2ban/jail.d/postfix-pregreet.local to catch this.

Hi Zhang,
thank you very much for fast reply.

postfix-pregreet is active, can you recommend me what to optimize for those bots ban?

[postfix-pregreet-iredmail]
enabled     = true
filter      = postfix-pregreet.iredmail
logpath     = /var/log/mail.log
maxretry    = 1
action      = nftables-multiport[name=postfix, port="80,443,25,587,465,110,995,143,993,4190", protocol=tcp]

Status
|- Number of jail:      6
`- Jail list:   dovecot-iredmail, nginx-http-auth, postfix-iredmail, postfix-pregreet-iredmail, roundcube-iredmail, sshd

postfix-pregreet.conf:

[Definition]
failregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+:
ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postscreen filter fail2ban optimization help

What's the related original Postfix log lines are we talking about?

5 Reply by ghost

  • ghost
  • Member
  • Offline
  • Registered: 2020-04-27
  • Posts: 4

Re: postscreen filter fail2ban optimization help

ZhangHuangbin wrote:

What's the related original Postfix log lines are we talking about?

Hi Zhang

this Russian bot see below, please.

Can I safely add this line to postfix-pregreet.iredmail.conf ?

postfix.postscreen.* HANGUP .* from \[<HOST>\]:

this is in mail.log

Apr 26 00:11:53 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:58250 to [192.168.1.5]:25
Apr 26 00:11:58 mail postfix/postscreen[23925]: HANGUP after 4.5 from [185.50.149.15]:58250 in tests before SMTP handshake
Apr 26 00:11:58 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:58250
Apr 26 00:11:58 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:11942 to [192.168.1.5]:25
Apr 26 00:12:03 mail postfix/postscreen[23925]: HANGUP after 4.6 from [185.50.149.15]:11942 in tests before SMTP handshake
Apr 26 00:12:03 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:11942
Apr 26 00:12:03 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:59540 to [192.168.1.5]:25
Apr 26 00:12:07 mail postfix/postscreen[23925]: HANGUP after 4.6 from [185.50.149.15]:59540 in tests before SMTP handshake
Apr 26 00:12:07 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:59540
Apr 26 00:12:07 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:32002 to [192.168.1.5]:25
Apr 26 00:12:12 mail postfix/postscreen[23925]: HANGUP after 4.5 from [185.50.149.15]:32002 in tests before SMTP handshake
Apr 26 00:12:12 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:32002
Apr 26 00:12:13 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:25344 to [192.168.1.5]:25
Apr 26 00:12:17 mail postfix/postscreen[23925]: HANGUP after 4.3 from [185.50.149.15]:25344 in tests before SMTP handshake
Apr 26 00:12:17 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:25344
Apr 26 00:12:17 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:1504 to [192.168.1.5]:25
Apr 26 00:12:22 mail postfix/postscreen[23925]: HANGUP after 4.7 from [185.50.149.15]:1504 in tests before SMTP handshake
Apr 26 00:12:22 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:1504
Apr 26 00:12:22 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:30008 to [192.168.1.5]:25
Apr 26 00:12:26 mail postfix/postscreen[23925]: HANGUP after 4.3 from [185.50.149.15]:30008 in tests before SMTP handshake
Apr 26 00:12:26 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:30008
Apr 26 00:12:26 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:7748 to [192.168.1.5]:25
Apr 26 00:12:31 mail postfix/postscreen[23925]: HANGUP after 4.7 from [185.50.149.15]:7748 in tests before SMTP handshake
Apr 26 00:12:31 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:7748
Apr 26 00:12:31 mail postfix/postscreen[23925]: CONNECT from [185.50.149.15]:22790 to [192.168.1.5]:25
Apr 26 00:12:36 mail postfix/postscreen[23925]: HANGUP after 4.5 from [185.50.149.15]:22790 in tests before SMTP handshake
Apr 26 00:12:36 mail postfix/postscreen[23925]: DISCONNECT [185.50.149.15]:22790
Apr 26 00:17:20 mail postfix/postscreen[23984]: CONNECT from [185.50.149.15]:8042 to [192.168.1.5]:25
Apr 26 00:17:25 mail postfix/postscreen[23984]: HANGUP after 4.6 from [185.50.149.15]:8042 in tests before SMTP handshake
Apr 26 00:17:25 mail postfix/postscreen[23984]: DISCONNECT [185.50.149.15]:8042
Apr 26 00:17:25 mail postfix/postscreen[23984]: CONNECT from [185.50.149.15]:62608 to [192.168.1.5]:25
Apr 26 00:17:29 mail postfix/postscreen[23984]: HANGUP after 4.6 from [185.50.149.15]:62608 in tests before SMTP handshake
Apr 26 00:17:29 mail postfix/postscreen[23984]: DISCONNECT [185.50.149.15]:62608
Apr 26 00:17:29 mail postfix/postscreen[23984]: CONNECT from [185.50.149.15]:47874 to [192.168.1.5]:25
Apr 26 00:17:34 mail postfix/postscreen[23984]: HANGUP after 4.5 from [185.50.149.15]:47874 in tests before SMTP handshake
Apr 26 00:17:34 mail postfix/postscreen[23984]: DISCONNECT [185.50.149.15]:47874
Apr 26 00:17:34 mail postfix/postscreen[23984]: CONNECT from [185.50.149.15]:18464 to [192.168.1.5]:25
Apr 26 00:17:39 mail postfix/postscreen[23984]: HANGUP after 4.6 from [185.50.149.15]:18464 in tests before SMTP handshake
Apr 26 00:17:39 mail postfix/postscreen[23984]: DISCONNECT [185.50.149.15]:18464
Apr 26 00:17:39 mail postfix/postscreen[23984]: CONNECT from [185.50.149.15]:22238 to [192.168.1.5]:25
Apr 26 00:17:43 mail postfix/postscreen[23984]: HANGUP after 4.5 from [185.50.149.15]:22238 in tests before SMTP handshake
Apr 26 00:17:43 mail postfix/postscreen[23984]: DISCONNECT [185.50.149.15]:22238
Apr 26 00:17:43 mail postfix/postscreen[23984]: CONNECT from [185.50.149.15]:33994 to [192.168.1.5]:25
Apr 26 00:17:48 mail postfix/postscreen[23984]: HANGUP after 4.4 from [185.50.149.15]:33994 in tests before SMTP handshake
Apr 26 00:17:48 mail postfix/postscreen[23984]: DISCONNECT [185.50.149.15]:33994
Apr 26 00:17:48 mail postfix/postscreen[23984]: CONNECT from [185.50.149.15]:29872 to [192.168.1.5]:25
Apr 26 00:17:52 mail postfix/postscreen[23984]: HANGUP after 4.2 from [185.50.149.15]:29872 in tests before SMTP handshake

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postscreen filter fail2ban optimization help

Check Postfix doc here: http://www.postfix.org/POSTSCREEN_READM … ther_error

"There is no punishment for hanging up. A client that hangs up without sending the QUIT command can still pass all postscreen(8) tests."

Technically you can ban clients like this by updating Fail2ban jail config file, but it doesn't seem harmful.

7 Reply by ghost

  • ghost
  • Member
  • Offline
  • Registered: 2020-04-27
  • Posts: 4

Re: postscreen filter fail2ban optimization help

ZhangHuangbin wrote:

Check Postfix doc here: http://www.postfix.org/POSTSCREEN_READM … ther_error

"There is no punishment for hanging up. A client that hangs up without sending the QUIT command can still pass all postscreen(8) tests."

Technically you can ban clients like this by updating Fail2ban jail config file, but it doesn't seem harmful.

Hi Zhang,

thanks for information.

I have added filter for future bots as above.
I have added this line to nftables also (for current bot).

nft insert rule inet filter input ip saddr 185.50.149.0/24 counter drop

Thank you for your great work on IredMail project also.

Solved