huan/docker-simple-mail-forwarder

Block IP from brute force attached on mail forwarder using CIDR

mike-crawfurd opened this issue · 4 comments

Hi,

One of my dockers based on your great work is being attacked by some people trying to brute force it. The IPs seem limited to two or three, so it should be easy to block them. An article on how to do this is here: https://ethitter.com/2016/03/blocking-sender-ips-in-postfix/

Example of the logs where people try to login:
Jan 24 09:42:36 cafff8e519dd postfix/smtpd[25002]: connect from unknown[212.70.149.85]
Jan 24 09:42:37 cafff8e519dd postfix/smtpd[24875]: warning: unknown[212.70.149.54]: SASL LOGIN authentication failed: authentication failure
Jan 24 09:42:38 cafff8e519dd postfix/smtpd[24875]: disconnect from unknown[212.70.149.54] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 24 09:42:45 cafff8e519dd postfix/smtpd[25002]: warning: unknown[212.70.149.85]: SASL LOGIN authentication failed: authentication failure
Jan 24 09:42:47 cafff8e519dd postfix/smtpd[25002]: disconnect from unknown[212.70.149.85] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jan 24 09:42:51 cafff8e519dd postfix/smtpd[24875]: connect from unknown[212.70.149.54]
Jan 24 09:42:57 cafff8e519dd postfix/smtpd[25002]: connect from unknown[212.70.149.85]

However, it seems the postmap in your docker is not able to handle cidr, as I get this error message below:
bash-5.0# postmap cidr:client_checks
postmap: fatal: unsupported dictionary type: cidr. Is the postfix-cidr package installed?
bash-5.0#

Is it possible to upgrade the postfix package to one that includes the cidr capability?
Since my 'attackers' seem limited, I do not feel I need to use other tools to block them.

Thanks,
Mike

huan commented

Hi mike,

I'd like to upgrade the postfix package so that your CIDR capability can be supported.

Pull Request is welcome.

Hi Huan,
Apologies, I do not really know how to do a pull request. Can you point me what you need me to do?
Regards,
Mike

@mike-crawfurd meanwhile, you could easily setup fail2ban to block these attempts.

This is my /etc/fail2ban/jail.d/saslmail.conf

[saslmail]
enabled  = true
port     = 25,465,587
filter   = saslmail
logtimezone = UTC
logpath  = /var/lib/docker/containers/*/*-json.log
bantime = 600
findtime = 600
maxretry = 3
action = iptables-allports[chain="FORWARD"]

maxretry = 3 is a bit strict, FYI. You can raise it to a higher value.

This is my /etc/fail2ban/filter.d/saslmail.conf

[Definition]
failregex = ^.*\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*$
            ^.*reject: RCPT from \S+\[<HOST>\]:.*Relay access denied.*$
            ^.*lost connection after .*\[<HOST>\].*$