TCP wrappers and Postfix

On 08/02/2021 08:04, Eugene Podshivalov wrote:
> There are a bunch of spiders and spammers nowadays which are knocking
> the service every hour or so every day. Postfix has a really powerful
> access control system to protect itself but it becomes a bit hard to
> read the log file flooded by the connection attempts. I'm currently
> trying to filter those out by UFW but dynamic addresses make it quite
> inefficient.

My 2p (I also use ufw but as a last-resort):

Postscreen of course

Fail2ban 0.10+ with its postfix (and recidive) jails

If you run postfix's dnsblog you could remove it to reduce the number of
log entries

If you allow incoming emails by IPv6 you might turn it off

I'm new to postscreen and it's what I was looking for. Thanks a lot for the answers!

пн, 8 февр. 2021 г. в 11:22, Dominic Raferd <[hidden email]>:

On 08/02/2021 08:04, Eugene Podshivalov wrote:
> There are a bunch of spiders and spammers nowadays which are knocking
> the service every hour or so every day. Postfix has a really powerful
> access control system to protect itself but it becomes a bit hard to
> read the log file flooded by the connection attempts. I'm currently
> trying to filter those out by UFW but dynamic addresses make it quite
> inefficient.

My 2p (I also use ufw but as a last-resort):

Postscreen of course

Fail2ban 0.10+ with its postfix (and recidive) jails

If you run postfix's dnsblog you could remove it to reduce the number of
log entries

If you allow incoming emails by IPv6 you might turn it off

Eugene Podshivalov:
> Have read through the postscreen documentation closely and got it setup and
> running already, but could not find the three major possibilities provided
> by the tcp wrappers:
> 1. block by hostname
> 2. block clients with unknown hostname
> 3. block clients with invalid address<->name mapping

Those are implemented by http://www.postfix.org/smtpd.8.html

Postscreen does not look up or verify the client hostname.
It is the FIRST line of defense; the more expensive checks
are done in other programs. In increasing order of cost, that's
postscreen, smtpd_mumble_restrictions, header/body_checks, and
content inspection with Milter, smtpd_proxy_filter, or FILTER.

        Wietse

On 2/8/2021 11:45 AM, Eugene Podshivalov wrote:
> Thanks for the explanation, Wietse.
>
> Probably the issue is just with the logging levels.
> My current configuration already has
>
>     smtpd_client_restrictions=reject_unknown_client_hostname
>
> and the log file is flooded with message like this
>
>     connect from unknown[ x.x.x.x]
>     NOQUEUE: reject: CONNECT from unknown[ x.x.x.x]: 450 4.7.25
>     Client host rejected: cannot find your hostname

That's a 450 temporary reject, so if it's a (semi-)legit mail server
it will likely try again and again. Bots tend to not come back.

Try changing unknown_client_reject_code=550 to signal a permanent
reject.

Also note that reject_unknown_client_hostname is a very strict test
and is known to reject some legit mail from slightly misconfigured
hosts, sometimes even major providers will fail this test. I'm not
telling you to not use this setting, but be aware that it will
eventually reject something you want.
It's safer to use reject_unknown_reverse_client_hostname.

>
> which makes it hard to analyse.

I fail to see how that makes analysis any harder. If your logs are
for more than a trivial amount of mail use "grep" to find the
interesting bits, and "less" to view. The "interesting bits" will
vary depending on what you're investigating.

Or use a log summary tool such as pflogsumm or one of the others
listed at http://www.postfix.org/addon.html#logfile

Make sure you don't have debug logs turned on, with a -D flag in
master.cf, or debug_peer_list, or [smtp|smtpd]_tls_loglevel greater
than 1 in main.cf.


>
> For comparison, the postscreen_*_action params let you `enforce`
> reject a delivery attempt and log it, or just 'drop' the connection
> silently.

postscreen's drop action _does_not_ eliminate logging. The
connect/drop/disconnect is always logged. Drop does eliminate
logging of the sender and recipient, which is often useful.

I respectfully suggest you don't waste your valuable time trying to
eliminate logging. Postfix logs what is necessary in order to trace
where mail came from and what happened to it.

If you want to get rid of the logging (not recommended) use a log
filter such as rsyslogd or block the client IP in your firewall, or
use fail2ban to automatically block clients that make too many errors.



   -- Noel Jones

Thanks, Noel! Your comments are helpful indeed.

пн, 8 февр. 2021 г. в 22:37, Noel Jones <[hidden email]>:

On 2/8/2021 11:45 AM, Eugene Podshivalov wrote:
> Thanks for the explanation, Wietse.
>
> Probably the issue is just with the logging levels.
> My current configuration already has
>
>     smtpd_client_restrictions=reject_unknown_client_hostname
>
> and the log file is flooded with message like this
>
>     connect from unknown[ x.x.x.x]
>     NOQUEUE: reject: CONNECT from unknown[ x.x.x.x]: 450 4.7.25
>     Client host rejected: cannot find your hostname

That's a 450 temporary reject, so if it's a (semi-)legit mail server
it will likely try again and again. Bots tend to not come back.

Try changing unknown_client_reject_code=550 to signal a permanent
reject.

Also note that reject_unknown_client_hostname is a very strict test
and is known to reject some legit mail from slightly misconfigured
hosts, sometimes even major providers will fail this test. I'm not
telling you to not use this setting, but be aware that it will
eventually reject something you want.
It's safer to use reject_unknown_reverse_client_hostname.

>
> which makes it hard to analyse.

I fail to see how that makes analysis any harder. If your logs are
for more than a trivial amount of mail use "grep" to find the
interesting bits, and "less" to view. The "interesting bits" will
vary depending on what you're investigating.

Or use a log summary tool such as pflogsumm or one of the others
listed at http://www.postfix.org/addon.html#logfile

Make sure you don't have debug logs turned on, with a -D flag in
master.cf, or debug_peer_list, or [smtp|smtpd]_tls_loglevel greater
than 1 in main.cf.


>
> For comparison, the postscreen_*_action params let you `enforce`
> reject a delivery attempt and log it, or just 'drop' the connection
> silently.

postscreen's drop action _does_not_ eliminate logging. The
connect/drop/disconnect is always logged. Drop does eliminate
logging of the sender and recipient, which is often useful.

I respectfully suggest you don't waste your valuable time trying to
eliminate logging. Postfix logs what is necessary in order to trace
where mail came from and what happened to it.

If you want to get rid of the logging (not recommended) use a log
filter such as rsyslogd or block the client IP in your firewall, or
use fail2ban to automatically block clients that make too many errors.



   -- Noel Jones

Eugene Podshivalov wrote:
> Is it by chance possible that tcp wrappers will be supported in future at
> least as an optionally compiled feature?

One can't say something will never happen.  But why would it be
needed?

As others have said Postfix already supports all of the same feature
set but in better ways.  So why would Postfix want to add something
which does less than what it already does?  Therefore the likelihood
is no because that would not be as good as what is already there.

If you really, really, really, want tcp wrappers support then you
would need to give a good reason why the current features are not
working for you.

Bob