Using fail2ban to block smtp

Question

I have set up a working SMTP relay together with MailScanner. This SMTP relay is not — and will not be — able to relay email from the outside, only local email.

We are providing a SMTP relay for our customer so they can get notification from for example their Wordpress site. But sometimes - as you all know, the sites will be hacked and could start spamming emails (10k/ hour). I want to use fail2ban to block a server to do so.

For example: Customers site has been hacked and one of their vhost is spamming alot of emails. Fail2Ban detects the flood and block all trafic on port 25 from that server - and send me a email that "Server B has been blocked due to smtp-flood".

How can this be achieved?

@Dom I updated with "How can this be achieved?". Should clear it up. I have not found anything that could solve this. — Orphans, Sep 22 '16 at 10:43

score 1 · Answer 1 · answered Sep 22 '16 at 10:52

As you use postfix, look at anvil configuration : it allow to limit the connections (without email to you). You can then use fail2ban to read the postfix logs and drop the connection and inform you by mail (look at http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit)

Orphans · Answer 2 · 2020-01-14T15:38:12.847

0

I found out that I can block it with iptables:

iptables -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --rsource

If a client send more then 4 emails per minute, it's getting blocked.

edited Jan 14 '20 at 15:38

answered Oct 04 '16 at 14:09

Orphans

1,404
17
26

Using fail2ban to block smtp

2 Answers2