• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved How to Block SMTP AUTH attempts using a RBL

Like I mentioned before you should be restricting access to outgoing ports 587 and 465 on the firewall anyway.
 
I did the steps before mentioned, it slow down the attempts, I still have some.

Thanks anyway for your info, don't get me wrong, I just want to know my original question:

My original question, is, "is there anyway to use DNSBL block list before SMTP AUTH attempts?"

Maybe someone have a solution exactly for this.
 
Try changing the order placing reject_rbl_client BEFORE permit_sasl_authenticated

Code: 
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated
 
danami said:
Try changing the order placing reject_rbl_client BEFORE permit_sasl_authenticated

Code: 
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated
Click to expand...
Just to confirm, yes it's working :)

Log example:
NOQUEUE: reject: RCPT from unknown[XXX.XX.XX.XX]: 554 5.7.1 Service unavailable; Client host [XXX.XX.XX.XX] blocked using (RBL List)

Thanks @danami !
 
Well... bad news, it works only for people trying to send mail, not for SASL AUTH/SMTP AUTH, they can still try to login without any problem being listed in the RBL/DNSBL
 
Are you sure that you didn't just revert your changes by editing the RBL's in the Plesk interface? Plesk used to have the RBLs listed before the permit_sasl_authenticated and people complained that they could not send email when listed so they changed the order around.
 
If I do the smtpd_delay_reject = no , then I can't send mail, got this in email client:

5.7.1 Client host rejected: Access denied

Below a fragment of maillog of how the attacker tries everytime without problem the SMTP AUTH:
Dec 24 01:14:08 sv postfix/smtps/smtpd[12538]: connect from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]
Dec 24 01:14:12 sv plesk_saslauthd[12816]: listen=6, status=5, dbpath='/XXX/XXXXX/XXXXX/XXXXXX/XXXXXXX.db', keypath='/XXX/XXX/XXXXX/XXXX/XXXXXXXkey', chroot=0, unprivileged=1
Dec 24 01:14:12 sv plesk_saslauthd[12816]: privileges set to (89:89) (effective 89:89)
Dec 24 01:14:12 sv plesk_saslauthd[12816]: No such user '[email protected]' in mail authorization database
Dec 24 01:14:12 sv plesk_saslauthd[12816]: failed mail authentication attempt for user '[email protected]' (password len=9)
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: warning: xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: authentication failure
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: lost connection after AUTH from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: disconnect from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX] ehlo=1 auth=0/1 commands=1/2
 
Or maybe not ;)

I figure it our in master.cf commented some lines in submission, and now, I can send email, and I can confirm 100% attacker is being blocked before SASL using the DNSBL

Nice christmas gift after months fighting with them.

Thanks @danami and have a Happy Christmas !
 
Yes I thought it should of worked (that's why I was scratching my head). I'm glad that you have it sorted.
 
Hi ChrisMonder,

just to be sure, isn't it the same to enable it via Plesk -> Tools & Settings -> Mail Server Settings -> Turn on spam protection based on DNS blackhole lists and add your DNSBLs there?
Screenshot-Plesk-Mail-Server-Settings.png

Or is Plesk doing something different here?

When I check the /etc/postfix/main.cf, I can see a different order but don't know if that matters or not:
Code: 
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org

Best regards
Sebo
 
Sebo said:
Just to be sure, isn't it the same to enable it via Plesk -> Tools & Settings -> Mail Server Settings -> Turn on spam protection based on DNS blackhole lists and add your DNSBLs there?
Click to expand...
@Sebo, no. The DNSBL you configure in Plesk are used to rejected email messages from those who are listed on the DNSBLs. The configuration ChrisMonder described is used to rejected (smtp) authentication from those who are listed on the DNSBLs. Those are two different things.

Sebo said:
When I check the /etc/postfix/main.cf, I can see a different order but don't know if that matters or not:
Code: 
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org
Click to expand...

That's the default order for smtpd_client_restrictions and works fine for using DNSBL to rejected email messages.
 
Hi Rasp,

Thanks for your explanation!

So the order makes the difference here.
If I want to reject those who are listed on the DNSBLs from smtp authentication, I need to move the permit_sasl_authenticated to the end of line.
But where do I have to set the smtpd_delay_reject = no setting?
Also in main.cf or in the master.cf?

Thanks in advance
Sebo
 
Sebo said:
Hi Rasp,

Thanks for your explanation!

So the order makes the difference here.
If I want to reject those who are listed on the DNSBLs from smtp authentication, I need to move the permit_sasl_authenticated to the end of line.
But where do I have to set the smtpd_delay_reject = no setting?
Also in main.cf or in the master.cf?

Thanks in advance
Sebo
Click to expand...

If you use Postfix with main.cf would be OK.

Normally here:
/etc/postfix/main.cf
 
You must log in or register to reply here.

Similar threads

carlsson
Issue Really strange problem – I can't use my SMTP server intermittently
Replies
2
Views
239
carlsson
carlsson
K
Issue Dovecot backup/sync to second server fails - Error: auth-master: userdb lookup
Replies
0
Views
1K
kassi
K
M
Issue Problem Mail SpamHaust - HELO/EHLO & DNS CHECKS
Replies
8
Views
533
meditrust
M
M
Issue Can't open Port 25. Please help
Replies
2
Views
402
mhogue
M
L
Question System Emails Marked as Spam
Replies
2
Views
278
Leighton Thompson
L
Back
Top