如果我修改 postfix fail2ban 规则是否明智:
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
添加以下行:
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.1\.1 .*$
因为我正在尝试阻止这样的攻击:
Jan 27 09:42:02 host1 postfix/smtpd[3416]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unkn
own in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:42:03 host1 postfix/smtpd[3416]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown
in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:55:32 host1 postfix/smtpd[4914]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unk
nown in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:55:32 host1 postfix/smtpd[4914]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown
in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
我担心它会无意中丢失错误的电子邮件,这些电子邮件应该被退回给那些意外错过电子邮件地址的用户。
你有什么建议?
答案1
这种事情总是需要找到一个平衡点。一次性或偶尔发生的故障可能是发送方的错误。短时间内多次发生故障可能表明您想要实施(临时)禁令。
这就是 fail2ban 具有可用于调整敏感度的参数的原因。例如,您可以设置最大重试次数和查找时间。maxretry 设置是 findtime 内可以容忍的失败尝试次数,如果超过此次数,该地址将被禁止。
我会仔细查看文件,了解正在发生的事情并适当地设置参数。
答案2
我对你的建议是使用 postscreen,更多信息请见此处:http://www.postfix.org/POSTSCREEN_README.html
“Postfix postscreen(8) 服务器提供了额外的保护,防止邮件服务器过载。一个 postscreen(8) 进程处理多个入站 SMTP 连接,并决定哪些客户端可以与 Post-fix SMTP 服务器进程通信。通过阻止垃圾邮件机器人,postscreen(8) 为合法客户端留下了更多的 SMTP 服务器进程,并延迟了服务器过载情况的发生。”
通过进行一些巧妙的检查,可以将整个负载从 MTA 移开。机器人永远不会到达那里,这才是应该的。
如果您的设置不允许安装 postscreen,则使用具有速率限制的策略守护进程可能会派上用场。