Hi all,
My mail jail has a private address and my pf.conf(5)() has the following:
The very last line does not work as expected. I can see literally tons of attempts within a few minutes of each to connect to my mail/postfix. See:
I'd like to keep using PF for this job, as I don't have to track down every single service's setup and I just have one single source of block: the firewall. I do the same for sshd for instance, and don't rely on blacklistd or fail2ban.
My mail jail has a private address and my pf.conf(5)() has the following:
Code:
mail4="10.10.10.25/32"
# Mail in
rdr pass on $ext_if inet proto tcp from any to $ext_if port smtp -> $mail4 port smtp
rdr pass on $ext_if inet proto tcp from any to $ext_if port smtps -> $mail4 port smtps
rdr pass on $ext_if inet proto tcp from any to $ext_if port submission -> $mail4 port submission
rdr pass on $ext_if inet proto tcp from any to $ext_if port imap -> $mail4 port imap
rdr pass on $ext_if inet proto tcp from any to $ext_if port imaps -> $mail4 port imaps
# block bad machines!
block drop in quick from <bruteforce>
# Mail in
pass in quick log inet6 proto tcp from <local6> to $mail6 port { smtp smtps submission imap imaps }
pass in quick log inet proto tcp from <local4> to $mail4 port { smtp smtps submission imap imaps }
# Protect mail brute force!
pass in quick log inet6 proto tcp to $mail6 port { smtp smtps submission imap imaps } \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/3600, \
overload <bruteforce> flush global)
pass in quick log inet proto tcp to $mail4 port { smtp smtps submission imap imaps } \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/3600, \
overload <bruteforce> flush global)
The very last line does not work as expected. I can see literally tons of attempts within a few minutes of each to connect to my mail/postfix. See:
Code:
Nov 12 20:52:47 car dovecot[26097]: auth-worker(94198): Error: pam(althea@...,212.70.149.69): pam_authenticate() failed: Authentication error (/etc/pam.d/dovecot missing?)
Nov 12 20:52:49 car postfix/smtps/smtpd[96058]: warning: unknown[212.70.149.69]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:52:53 car postfix/smtps/smtpd[96058]: lost connection after AUTH from unknown[212.70.149.69]
Nov 12 20:52:53 car postfix/smtps/smtpd[96058]: disconnect from unknown[212.70.149.69] ehlo=1 auth=0/1 rset=1 commands=2/3
Nov 12 20:54:09 car postfix/smtps/smtpd[96058]: connect from unknown[212.70.149.69]
Nov 12 20:54:09 car postfix/smtps/smtpd[96058]: setting up TLS connection from unknown[212.70.149.69]
Nov 12 20:54:09 car postfix/smtps/smtpd[96058]: unknown[212.70.149.69]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH"
Nov 12 20:54:18 car postfix/smtps/smtpd[96058]: unknown[212.70.149.69]: Issuing session ticket, key expiration: 1605212657
Nov 12 20:54:18 car postfix/smtps/smtpd[96058]: Anonymous TLS connection established from unknown[212.70.149.69]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 12 20:54:41 car dovecot[26097]: auth-worker(63810): Error: pam(rosalinda@...,212.70.149.69): pam_authenticate() failed: Authentication error (/etc/pam.d/dovecot missing?)
Nov 12 20:54:43 car postfix/smtps/smtpd[96058]: warning: unknown[212.70.149.69]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:54:47 car postfix/smtps/smtpd[96058]: lost connection after AUTH from unknown[212.70.149.69]
Nov 12 20:54:47 car postfix/smtps/smtpd[96058]: disconnect from unknown[212.70.149.69] ehlo=1 auth=0/1 rset=1 commands=2/3
Nov 12 20:56:01 car postfix/smtps/smtpd[12542]: connect from unknown[212.70.149.69]
Nov 12 20:56:01 car postfix/smtps/smtpd[12542]: setting up TLS connection from unknown[212.70.149.69]
Nov 12 20:56:01 car postfix/smtps/smtpd[12542]: unknown[212.70.149.69]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH"
Nov 12 20:56:10 car postfix/smtps/smtpd[12542]: unknown[212.70.149.69]: Issuing session ticket, key expiration: 1605212769
Nov 12 20:56:10 car postfix/smtps/smtpd[12542]: Anonymous TLS connection established from unknown[212.70.149.69]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 12 20:56:32 car dovecot[20058]: auth-worker(8477): Error: pam(jordan@...,212.70.149.69): pam_authenticate() failed: Authentication error (/etc/pam.d/dovecot missing?)
Nov 12 20:56:34 car postfix/smtps/smtpd[12542]: warning: unknown[212.70.149.69]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 12 20:56:38 car postfix/smtps/smtpd[12542]: lost connection after AUTH from unknown[212.70.149.69]
Nov 12 20:56:38 car postfix/smtps/smtpd[12542]: disconnect from unknown[212.70.149.69] ehlo=1 auth=0/1 rset=1 commands=2/3
Nov 12 20:59:58 car postfix/anvil[88941]: statistics: max connection rate 1/60s for (smtps:212.70.149.69) at Nov 12 20:56:10
Nov 12 20:59:58 car postfix/anvil[88941]: statistics: max connection count 1 for (smtps:212.70.149.69) at Nov 12 20:56:10
I'd like to keep using PF for this job, as I don't have to track down every single service's setup and I just have one single source of block: the firewall. I do the same for sshd for instance, and don't rely on blacklistd or fail2ban.