OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: PotatoCarl on September 06, 2019, 12:13:49 pm
-
Hi
I wonder if there is a way to protect additionally the connection to the postfix/imap daemon in my network, like a sanitazion proxy or such. I only allow SSL connections, but still get a huge amount of failed auths.
Of course I still need to check email from the outside, but maybe someone has an idea (except VPN, which is what I probably will be using if any other methods will be Snakeoil).
VPN is however adding a layer of support for the road warriors, so I try to get around that.
Thanks.
-
nginx can inspect mail protocols (the plugin has it currently not implemented but it exists) and you have the option to use the postfix plugin for (E)SMTP which rspamd as milter, which should as well avoid some spam.
-
Hi,
There is an open ticket on github for this.
i have meanwhile fail2ban on my servers installed, which block ips with more than 3 failed logins completely on the route.
unfortunately, i am not that experienced. But since opnsense now with syslogd should have to possibility to receive logs from a mailserver, i plan (not in short time) to have my mailservers logging to opnsense also and havng opnsense blocking the ips.
I have not yet tried and cannot confirm if its working. In my mind, it should :)
-
fail2ban is perfect for blocking clients with failed auths
-
Thanks, I will give failban a try.
-
Maybe you can also set up an url alias to a blocklist and put that on a "block in" on the wan of your open ports. Im using the OTX list:
https://reputation.alienvault.com/reputation.generic
doesnt block alot but it helps against known ips
-
I have some block lists enabled, mostly geographically, as the mail server is only used by our staff (we have a different uplink). I basically want to make sure that any known or unknown security flaw of cyrus or postfix is at last partially deflected. I also see that it is kind of difficult, but it looks like fail2ban might be an option. Just have to understand the configuration and how to implement it on our mailserver without locking myself out ;-)
-
You can whitelist your IP in the jail.conf using the
ignoreip = xxx.xxx.xxx.xxx/24
You can test if an ip would get blocked before using it in a jail
fail2ban-regex /var/log/<yourlog> /etc/fail2ban/filter.d/<yourjailfilter.conf>
it will show you if it matches with your regex.