Postfix Spam

Discussion in 'General' started by Xtended2404, Feb 13, 2015.

  1. Xtended2404

    Xtended2404 New Member

    I have Ubuntu server 12.04, Ispconfig 3 installed well and a static IP address.
    All is working well.

    But I guess my mail server is under atack
    If i enter tail -f /var/log/mail.log I get a lot of messages (2 per second)
    NOQUEUE: reject: RCPT from unknown[181.118.132.50]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<50.1-200>

    domain.ro
    is one of my domains hosted on my server (my server have a static IP address)
    f6d6d1609 does not exist

    I've tried to block 181.118.132.50 with iptables but suddenly another ip appears making the same opperation.
    I think i have more than 100 ip`s blocked until now in the list.

    I guess somebody try to make spam with telnet using random mails from one of my domains.
    What can i do?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    As you see from the message above, postfix rejecetd the attempt correctly. So there is no need for further actions, they will try this for some time and then they will give up. Just ensure that you have fail2ban installed and configured so that it blocks attempts in case someone does a brute force attack on the smtp logins.
     
  3. Xtended2404

    Xtended2404 New Member

    Thanks Till for your time.

    I added the following to my jail.conf (/etc/fail2ban/jail.conf):
    [smtp-auth]
    enabled = true
    filter = smtp-auth
    action = iptables[name=SMTP, port=smtp, protocol=tcp]
    logpath = /var/log/facility/mail
    maxretry = 3


    and put the following in /etc/fail2ban/filter.d/smtp-auth.conf:
    [Definition]
    failregex = sendmail.*authentication failure: checkpass failed, relay=\[<HOST>\]$
    ignoreregex =


    Then restart fail2ban. I guess that`s all, right?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This does not seem to be a rule for an ubuntu server. Try to add just this into the jail.local file:

    Code:
    [sasl]
    enabled = true
    port = smtp
    filter = sasl
    logpath = /var/log/mail.log
    maxretry = 3
    
     
  5. Xtended2404

    Xtended2404 New Member

    ok. It works. Thanks a lot Till.
     

Share This Page