1

Topic: HOWTO: Protect against postfix AUTH DoS attacks

======== Required information ====
- iRedMail version: any
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): any
- Linux/BSD distribution name and version: any
- Related log if you're reporting an issue:
====

I have tons of

Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]

in my logs. If you are on the same boat and want to block such attacks, you can use fail2ban:

1/ add following section to the end of your /etc/fail2ban/jail.local

[postfix-auth]
enabled     = true
filter      = postfix.auth
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log

2/ create new file /etc/fail2ban/filter.d/postfix.auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

3/ Restart fail2ban. Attacker will be blocked after five attempts.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: HOWTO: Protect against postfix AUTH DoS attacks

Another way is simply adding 'failregex' in file /etc/fail2ban/filter.d/postfix.iredmail.conf.
I added this regular expression in iRedMail by default. Thanks for your contribution.

3 (edited by Jochie 2015-05-19 01:21:21)

Re: HOWTO: Protect against postfix AUTH DoS attacks

I'd suggest to update that line to :

lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]
The unknown and EHLO also seem to flood my log files, and aren't filtered out and banned.
After updating my regex it became silent again.

4

Re: HOWTO: Protect against postfix AUTH DoS attacks

Hi Jochie,

Thanks for sharing. i added this improved regx in iRedMail, it will be available in next release. smile

5 (edited by brainsage 2019-09-24 16:19:53)

Re: HOWTO: Protect against postfix AUTH DoS attacks

svoboda77 wrote:

======== Required information ====
- iRedMail version: any
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): any
- Linux/BSD distribution name and version: any
- Related log if you're reporting an issue:
====

I have tons of

Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:49 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:50 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: connect from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: lost connection after AUTH from unknown[151.237.190.118]
Oct 19 06:30:51 mail postfix/smtpd[14043]: disconnect from unknown[151.237.190.118]

in my logs. If you are on the same boat and want to block such attacks, you can use essay writing service tools and fail2ban:
1/ add following section to the end of your /etc/fail2ban/jail.local

[postfix-auth]
enabled     = true
filter      = postfix.auth
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log

2/ create new file /etc/fail2ban/filter.d/postfix.auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

3/ Restart fail2ban. Attacker will be blocked after five attempts.



Hi,

I forgot to add a <host> part.
I found this in one of the comments by Dean Willis on Maxoberberger blog:
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = lost connection after AUTH from [-._\w]+\[<host>\]
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service