Blocking failed smtp relay requests

Question

Blocking failed smtp relay requests

Every day (around the same time, interestingly) I get a wave of log messages exactly like this:

postfix/smtpd[45049]: warning: 186.60.162.91: hostname 186-60-162-91.speedy.com.ar verification failed: nodename nor servname provided, or not known

It appears to me as if some pinhead is attempting to use my server as a spam relay and all the messages are being rejected. No harm is done, except that I get annoyed about this useless waste of my small and expensive business-class bandwidth (I'm in Australia).

Is there anyway to automatically add a rule to the firewall to reject the the IP address after, say, 3 failed attempts in less than 10 seconds? Or something like that?

I've been manually adding rules, now and then, but I'm sure this is useless as they change IP addresses every day. When the wave of attempts start, I've noticed that they tend to come from the same few IP addresses and it seems senseless of the mail server to have to reject them if I could automatically add those IP addresses to the firewall which would simply drop the request before they even get started.

Any help would be gratefully appreciated.

MacPro, Mac OS X (10.6.2), 2.93 GHz Quad-core, 8GB, 2TB (Snow Leopard Server)

Posted on Sep 26, 2011 8:17 PM

Reply

Answer 1

Sep 26, 2011 11:00 PM in response to Simon Paterson

Are you using an RBL? I'd add that first. Also, limit relay to the local net, and use strong passwords, enabling mail only for users that need it.

The other thing I do, is enable the firewall. It has some built in rules which seem to help, but from memory can't recall if any are SMTP specific.

As for your original question. Yes, it is possible. I read a how to for this some time ago, but cannot locate at the moment, not even sure if it was a postfix config change or an ipfw rule.

Reply

Answer 2

Sep 26, 2011 11:15 PM in response to Elite Expert of all Knowledge

Yes, RBL is enabled.

Yes, relay is limited to local network and strong passwords (not in the clear) are used.

Yes, the firewall is enabled.

Thank you for the input. The problem is far beyond these basics, I'm afraid.

Reply

Answer 3

Sep 27, 2011 12:47 AM in response to Simon Paterson

Good to hear the basics are covered 🙂 You'd be surprised how often they're overlooked.

Looking up the actual error in your log, it looks to be warning indicating that the PTR doesn't have a corresponding A record. Basically, a fairly minor DNS issue on the sending MTA. So, might not be actual relay attempts. Relays should be dropped or show failed login attempts elsewise. /var/log/mail.log I think is where you'll see any failures.

What I was thinking of is the adaptive firewall. emond is meant to block IPs after 10 failed attempts, for 15 mins. I imagine it can be adapted, so to speak, to block the IPs for longer, or after fewer attempts. You could trawl through your logs to see if that's actually happening.

The command line tool for the adaptive firewall is afctl The rule that does the default blocking after 10 failed attempts is in a plist /etc/emond.d/rules/AdaptiveFirewall.plist

The postfix config can also be managed to block SMTP specific accesses, blacklisting or greylisting IPs. I'm trying to dig up details for how to do this in the way you'd like.

Reply

Answer 4

Sep 27, 2011 7:56 PM in response to Elite Expert of all Knowledge

So, I think what might help in more general terms is fail2ban http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.5)

That how to is for 10.5, but should work for 10.6, too. Basically, it monitors logs and then uses the built in firewall to ban IPs. The advantage of this for your concern is that it will block all access from that IP. Including SSH and POP/IMAP.

You can also roll your own, basically by monitoring logs for failed logins (syslog command can pull out, or you can use grep), and then counting the number of failed logins for a particular IP over a set time, and adding that to a the postfix blacklist or firewall.

Reply

Answer 5

Sep 27, 2011 8:33 PM in response to Elite Expert of all Knowledge

Totally perfect. Thank you. Your input on this subject has been invaluable.

I will use this to seach for a specific entry in the system.log file which occurs every time I receive a failed relay attempt. It is precisely the mechanism I'd hoped for.

Once again, my sincere gratitude. You've made my day. The very last problem with my small business server is now solved. Relief.

Reply