I have Ubuntu server 12.04, Ispconfig 3 installed well and a static IP address. All is working well. But I guess my mail server is under atack If i enter tail -f /var/log/mail.log I get a lot of messages (2 per second) NOQUEUE: reject: RCPT from unknown[181.118.132.50]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<50.1-200> domain.ro is one of my domains hosted on my server (my server have a static IP address) f6d6d1609 does not exist I've tried to block 181.118.132.50 with iptables but suddenly another ip appears making the same opperation. I think i have more than 100 ip`s blocked until now in the list. I guess somebody try to make spam with telnet using random mails from one of my domains. What can i do?
As you see from the message above, postfix rejecetd the attempt correctly. So there is no need for further actions, they will try this for some time and then they will give up. Just ensure that you have fail2ban installed and configured so that it blocks attempts in case someone does a brute force attack on the smtp logins.
Thanks Till for your time. I added the following to my jail.conf (/etc/fail2ban/jail.conf): [smtp-auth] enabled = true filter = smtp-auth action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/facility/mail maxretry = 3 and put the following in /etc/fail2ban/filter.d/smtp-auth.conf: [Definition] failregex = sendmail.*authentication failure: checkpass failed, relay=\[<HOST>\]$ ignoreregex = Then restart fail2ban. I guess that`s all, right?
This does not seem to be a rule for an ubuntu server. Try to add just this into the jail.local file: Code: [sasl] enabled = true port = smtp filter = sasl logpath = /var/log/mail.log maxretry = 3
