MAKING MY POSTFIX CONFIG RACIST

Yesterday I described blocking "Aleksandr" spam in Postfix,
something that's apparantly becomming a rite of passage among
internet 'postmasters'. Of course while doing lots of log reading
for the sake of that, I found myself wading through the constant
stream of IP-address-rich spammers trying to brute force the log-in
so that they could use it as a relay (also a small few trying to
break into POP/IMAP so they could read my emails, but those are
vastly outnumbered by the SMTP attacks).

I'm not afraid of them succeeding, and there's no issue from server
load, but I don't really want to oblige them either. It occoured to
me that they pretty much all come from overseas IP addresses, and
yet I've never even been overseas so I'm definately only going to
connect to it from an Australian IP address, so why not just block
all non-Australian IP addresses from doing SASL authentication?

This is something that I've never been brave enough to do on SSH
connections because I'm not on a fixed IP myself so one day if it
goes wrong or there's an error in the geo-IP database, I'll get
locked out. But with email it's much less scary - even if I don't
have time to mess with the server configuration when it goes wrong,
I can just switch to using my ISP's SMTP server instead anyway.

Yet the trouble is that I've been using port 25 for sending mail
from remote clients, and of course that's also where the SMTP
server listens for incoming mail to local mailboxes, which I
definately want to accept from IP addresses outside Australia. So I
can't simply filter port 25 with the firewall, and as such I spent
quite a while looking through the Postfix docs expecting to find a
way to restrict which IP addresses it offers SASL to. I was rather
disappointed to find out that there was nothing of the sort.

But the next day I went back and discovered that I was on the wrong
track entirely. There's actually a standard "submission" port (587)
designated especially for connections from clients looking to relay
their mail into the wider universe. There's also some suggestion
that my configuration using port 25 for this was wrong from the
outset, although things like Sylpheed defaulting to port 25 suggest
that it must be a very common mistake if it is one.

This is configured by disabling SASL globally in
/etc/postfix/main.cf with "smtpd_sasl_auth_enable = no", then
enabling the submission port in /etc/postfix/master.cf with the "-o
smtpd_sasl_auth_enable = yes" parameter. Now port 25 still accepts
connections from any other servers for receiving incoming mail, but
won't accept authentication, which is required for mail relay. Mail
relay is only accepted on port 587.

Port 587 was blocked before by the firewall (Firehol), so now I've
enabled it only for networks on a list of Australian IP ranges.
This is fetched automatically and converted as described in the
Firehol docs:
 http://firehol.org/guides/ipset/
So I set a cron job to autmatically fetch and update the Australian
IP set (which I called australian_nets) from the web, then used
this line to allow the submission port in firehol.conf:
 server submission accept src ipset:australian_nets

I'm using this as my source of IP ranges:
 https://www.ipdeny.com/ipblocks/

But of course it's tricky to test because I don't have access to a
computer that's outside of Australia besides this VPS itself. Many
websites offering nmap functionality don't test the submission
port, but I eventually found https://nmap.online/, Testing geo
restriction by running "nmap -F [IP address]" and comparing with
https://nmap.online/ (basic functions work without Javascript): the
web Nmap doesn't show the "submission" port open, but the local one
does. Yay!

Sure enough, now there are no more "SASL LOGIN authentication
failed" messages in /var/log/mail.log, yet mail is delivered
successfully from my clients after changing the port setting from
25 to 587.

Interestingly some of the spammers trying to get into port 25 did
keep banging their head against the wall.  By the next day there
were over 4700 records of attempted AUTH log-ins there, even though
they were just getting the "authorisation not available" error back.

http://firehol.org/guides/ipset/
http://firehol.org/firehol-manual/firehol-services/#service-submission
http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable
https://serverfault.com/a/706280
https://www.ipdeny.com/ipblocks/
https://nmap.online/

- The Free Thinker

PS: This is my first attempt at converting some of my personal
server-configuration notes into other-human-readable format, I'm
not sure how well it worked, but somehow it still took me over half
an hour!

You are viewing proxied material from aussies.space. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.