Protecting servers with fail2ban – Postfix mail server

The next post of the fail2ban series will handle the protection of postfix mail servers.

Postfix configuration

I will not handle the configuration of postfix itself in this blog post. Anyway I like to share some ideas on what a good / safe configuration of a postfix mail sever.

  • Accept email for own domain(s) only – no open mail relay.
  • Accept email only from servers calling with FQDN.
  • Offer session encryption using strong ciphers only.
  • Disable unencrypted transport where ever possible.
  • Accept email from local users only only after they have logged in
  • Decline email for failed FQDN / host ip address validation.
  • Accept / decline emails based on spam black lists like zen.spamhaus.org.
  • Scan each email for virus – incoming and outgoind and decline emails with virues.
  • Make use of DNSSEC/DANE – a lot of work…

In my opinoin postfix server is one of the services which needs most of the admins attention for configuration and maintenance.

Postfix SASL logins

Overview

As per above configuration, a user has to login with username / password to be able to send an email. If is one of the most common attacks on the postfix service, to guess the password. The attacker tries to guess a valid username / password combination to login into the system. A failed login attempt will be shown as

warning: <servername>\[xxx.xxx.xxx.xxx\]: SASL LOGIN authentication failed: <passwordBase64Coded>

The base64 coded password could e.g. be “UGFzc3dvcmQ6” (without quotes). This actually resolves to “password”.

Configuration

[postfix-sasl]
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath  = %(postfix_log)s
enabled  = true

This activates fail2ban on the needed ports. You have to check your configuration / your server which ports postfix is listening on.

 

Postfix RBL blocked hosts

Overview

As mentioned above hosts trying to send emails in should be checked using RBL lists like zen.spamhaus.org. The incoming email is blocked as long as the host is listed on the RBL list. But still each try “spams” the logfile. By using the fail2ban-rbl filter, it is easy to get rid of these messages in the log file. A blocked email appears as follows in the logfile:

TBD

Configuration

[postfix-rbl]
port     = smtp,465,submission
logpath  = %(syslog_mail)s
maxretry = 1
enabled  = true