proxy70

MAKING MY POSTFIX CONFIG RACIST

Yesterday I described blocking "Aleksandr" spam in Postfix, 
something that's apparantly becomming a rite of passage among 
internet 'postmasters'. Of course while doing lots of log reading 
for the sake of that, I found myself wading through the constant 
stream of IP-address-rich spammers trying to brute force the log-in 
so that they could use it as a relay (also a small few trying to 
break into POP/IMAP so they could read my emails, but those are 
vastly outnumbered by the SMTP attacks).

I'm not afraid of them succeeding, and there's no issue from server 
load, but I don't really want to oblige them either. It occoured to 
me that they pretty much all come from overseas IP addresses, and 
yet I've never even been overseas so I'm definately only going to 
connect to it from an Australian IP address, so why not just block 
all non-Australian IP addresses from doing SASL authentication?

This is something that I've never been brave enough to do on SSH 
connections because I'm not on a fixed IP myself so one day if it 
goes wrong or there's an error in the geo-IP database, I'll get 
locked out. But with email it's much less scary - even if I don't 
have time to mess with the server configuration when it goes wrong, 
I can just switch to using my ISP's SMTP server instead anyway.

Yet the trouble is that I've been using port 25 for sending mail 
from remote clients, and of course that's also where the SMTP 
server listens for incoming mail to local mailboxes, which I 
definately want to accept from IP addresses outside Australia. So I 
can't simply filter port 25 with the firewall, and as such I spent 
quite a while looking through the Postfix docs expecting to find a 
way to restrict which IP addresses it offers SASL to. I was rather 
disappointed to find out that there was nothing of the sort.

But the next day I went back and discovered that I was on the wrong 
track entirely. There's actually a standard "submission" port (587) 
designated especially for connections from clients looking to relay 
their mail into the wider universe. There's also some suggestion 
that my configuration using port 25 for this was wrong from the 
outset, although things like Sylpheed defaulting to port 25 suggest 
that it must be a very common mistake if it is one.

This is configured by disabling SASL globally in 
/etc/postfix/main.cf with "smtpd_sasl_auth_enable = no", then 
enabling the submission port in /etc/postfix/master.cf with the "-o 
smtpd_sasl_auth_enable = yes" parameter. Now port 25 still accepts 
connections from any other servers for receiving incoming mail, but 
won't accept authentication, which is required for mail relay. Mail 
relay is only accepted on port 587.

Port 587 was blocked before by the firewall (Firehol), so now I've 
enabled it only for networks on a list of Australian IP ranges. 
This is fetched automatically and converted as described in the 
Firehol docs:
  http://firehol.org/guides/ipset/
So I set a cron job to autmatically fetch and update the Australian
IP set (which I called australian_nets) from the web, then used
this line to allow the submission port in firehol.conf:
  server submission accept src ipset:australian_nets

I'm using this as my source of IP ranges:
  https://www.ipdeny.com/ipblocks/

But of course it's tricky to test because I don't have access to a 
computer that's outside of Australia besides this VPS itself. Many 
websites offering nmap functionality don't test the submission 
port, but I eventually found https://nmap.online/, Testing geo 
restriction by running "nmap -F [IP address]" and comparing with 
https://nmap.online/ (basic functions work without Javascript): the 
web Nmap doesn't show the "submission" port open, but the local one 
does. Yay!

Sure enough, now there are no more "SASL LOGIN authentication 
failed" messages in /var/log/mail.log, yet mail is delivered 
successfully from my clients after changing the port setting from 
25 to 587.

Interestingly some of the spammers trying to get into port 25 did 
keep banging their head against the wall.  By the next day there 
were over 4700 records of attempted AUTH log-ins there, even though 
they were just getting the "authorisation not available" error back.

http://firehol.org/guides/ipset/
http://firehol.org/firehol-manual/firehol-services/#service-submission
http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable
https://serverfault.com/a/706280
https://www.ipdeny.com/ipblocks/
https://nmap.online/

 - The Free Thinker

PS: This is my first attempt at converting some of my personal 
server-configuration notes into other-human-readable format, I'm 
not sure how well it worked, but somehow it still took me over half 
an hour!