Hi,
My main mail server is running CentOS 7 with Postfix and Dovecot.
Last week I was surprised to see that Postfix had some troubles on this
machine, according to Icinga. I took a peek at the logs:
# journalctl -p err
Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication
mechanisms
...
And in /var/log/maillog I found a tsunami of these:
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning:
unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from
unknown[45.227.253.115]
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from
unknown[45.227.253.115]
My first reaction was to manually ban the IP addresses / networks which caused
the flood, using my firewall:
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
address='45.227.253.0/24' reject"
# firewall-cmd --reload
I'm already using fail2ban in conjunction with firewalld to prevent brute force
SSH attacks.
Q: can I use it in a similar configuration to stop Postfix from getting flooded
and brought down to its knees?
Thanks & cheers from the sunny South of France,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
