我注意到,我不断获得对 postfix/smtpd 的垃圾访问权限,/var/log/mail.log
我看到许多重复的
May 2 11:09:04 mercury postfix/smtpd[25364]: warning: unknown[164.39.218.210]: SASL LOGIN authentication failed: Invalid authentication mechanism
May 2 11:09:04 mercury postfix/smtpd[25364]: lost connection after AUTH from unknown[164.39.218.210]
May 2 11:09:04 mercury postfix/smtpd[25364]: disconnect from unknown[164.39.218.210]
May 2 11:09:07 mercury postfix/smtpd[25408]: connect from unknown[185.234.216.121]
May 2 11:09:07 mercury postfix/smtpd[25408]: warning: unknown[185.234.216.121]: SASL LOGIN authentication failed: Invalid authentication mechanism
May 2 11:09:07 mercury postfix/smtpd[25408]: lost connection after AUTH from unknown[185.234.216.121]
May 2 11:09:07 mercury postfix/smtpd[25408]: disconnect from unknown[185.234.216.121]
May 2 11:09:09 mercury postfix/smtpd[25364]: connect from ticketmx.kinopark.am[212.34.242.82]
May 2 11:09:09 mercury postfix/smtpd[25408]: connect from unknown[185.234.216.195]
May 2 11:09:10 mercury postfix/smtpd[25408]: warning: unknown[185.234.216.195]: SASL LOGIN authentication failed: Invalid authentication mechanism
May 2 11:09:10 mercury postfix/smtpd[25364]: warning: ticketmx.kinopark.am[212.34.242.82]: SASL LOGIN authentication failed: Invalid authentication mechanism
May 2 11:09:10 mercury postfix/smtpd[25408]: lost connection after AUTH from unknown[185.234.216.195]
May 2 11:09:10 mercury postfix/smtpd[25408]: disconnect from unknown[185.234.216.195]
May 2 11:09:10 mercury postfix/smtpd[25364]: lost connection after AUTH from ticketmx.kinopark.am[212.34.242.82]
May 2 11:09:10 mercury postfix/smtpd[25364]: disconnect from ticketmx.kinopark.am[212.34.242.82]
May 2 11:09:12 mercury postfix/smtpd[25408]: connect from unknown[185.234.216.114]
我想我会通过添加以下内容ticketmx.kinopark.am
来禁止这一点:/etc/postfix/header_checks
/^Received: .*\ticketmx.kinopark.am .*$/ REJECT Sorry, too much spam from kinopark.am
我重启了 postfix,但还是一直看到这个垃圾信息。有什么建议吗?我应该考虑屏蔽其他东西吗?
谢谢
答案1
您的标头检查正在寻找电子邮件标头中的匹配项。但是,日志中显示的连接从未提交过电子邮件。它们正在连接,尝试进行身份验证,但身份验证失败,然后断开连接。
在这种情况下,您能做的最好的事情可能是使用类似 fail2ban 的东西。它将监视日志文件中的身份验证失败情况,然后当从同一 IP 地址看到太多失败时,通过防火墙规则阻止源 IP 地址。