• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How to Block SMTP AUTH attempts using a RBL

Like I mentioned before you should be restricting access to outgoing ports 587 and 465 on the firewall anyway.
 
I did the steps before mentioned, it slow down the attempts, I still have some.

Thanks anyway for your info, don't get me wrong, I just want to know my original question:

My original question, is, "is there anyway to use DNSBL block list before SMTP AUTH attempts?"

Maybe someone have a solution exactly for this.
 
Try changing the order placing reject_rbl_client BEFORE permit_sasl_authenticated

Code: 
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated
 
danami said:
Try changing the order placing reject_rbl_client BEFORE permit_sasl_authenticated

Code: 
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated
Click to expand...
Just to confirm, yes it's working :)

Log example:
NOQUEUE: reject: RCPT from unknown[XXX.XX.XX.XX]: 554 5.7.1 Service unavailable; Client host [XXX.XX.XX.XX] blocked using (RBL List)

Thanks @danami !
 
Well... bad news, it works only for people trying to send mail, not for SASL AUTH/SMTP AUTH, they can still try to login without any problem being listed in the RBL/DNSBL
 
Are you sure that you didn't just revert your changes by editing the RBL's in the Plesk interface? Plesk used to have the RBLs listed before the permit_sasl_authenticated and people complained that they could not send email when listed so they changed the order around.
 
If I do the smtpd_delay_reject = no , then I can't send mail, got this in email client:

5.7.1 Client host rejected: Access denied

Below a fragment of maillog of how the attacker tries everytime without problem the SMTP AUTH:
Dec 24 01:14:08 sv postfix/smtps/smtpd[12538]: connect from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]
Dec 24 01:14:12 sv plesk_saslauthd[12816]: listen=6, status=5, dbpath='/XXX/XXXXX/XXXXX/XXXXXX/XXXXXXX.db', keypath='/XXX/XXX/XXXXX/XXXX/XXXXXXXkey', chroot=0, unprivileged=1
Dec 24 01:14:12 sv plesk_saslauthd[12816]: privileges set to (89:89) (effective 89:89)
Dec 24 01:14:12 sv plesk_saslauthd[12816]: No such user '[email protected]' in mail authorization database
Dec 24 01:14:12 sv plesk_saslauthd[12816]: failed mail authentication attempt for user '[email protected]' (password len=9)
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: warning: xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: authentication failure
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: lost connection after AUTH from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: disconnect from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX] ehlo=1 auth=0/1 commands=1/2
 
Or maybe not ;)

I figure it our in master.cf commented some lines in submission, and now, I can send email, and I can confirm 100% attacker is being blocked before SASL using the DNSBL

Nice christmas gift after months fighting with them.

Thanks @danami and have a Happy Christmas !
 
Yes I thought it should of worked (that's why I was scratching my head). I'm glad that you have it sorted.
 
Hi ChrisMonder,

just to be sure, isn't it the same to enable it via Plesk -> Tools & Settings -> Mail Server Settings -> Turn on spam protection based on DNS blackhole lists and add your DNSBLs there?
Screenshot-Plesk-Mail-Server-Settings.png

Or is Plesk doing something different here?

When I check the /etc/postfix/main.cf, I can see a different order but don't know if that matters or not:
Code: 
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org

Best regards
Sebo
 
Sebo said:
Just to be sure, isn't it the same to enable it via Plesk -> Tools & Settings -> Mail Server Settings -> Turn on spam protection based on DNS blackhole lists and add your DNSBLs there?
Click to expand...
@Sebo, no. The DNSBL you configure in Plesk are used to rejected email messages from those who are listed on the DNSBLs. The configuration ChrisMonder described is used to rejected (smtp) authentication from those who are listed on the DNSBLs. Those are two different things.

Sebo said:
When I check the /etc/postfix/main.cf, I can see a different order but don't know if that matters or not:
Code: 
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org
Click to expand...

That's the default order for smtpd_client_restrictions and works fine for using DNSBL to rejected email messages.
 
Hi Rasp,

Thanks for your explanation!

So the order makes the difference here.
If I want to reject those who are listed on the DNSBLs from smtp authentication, I need to move the permit_sasl_authenticated to the end of line.
But where do I have to set the smtpd_delay_reject = no setting?
Also in main.cf or in the master.cf?

Thanks in advance
Sebo
 
Sebo said:
Hi Rasp,

Thanks for your explanation!

So the order makes the difference here.
If I want to reject those who are listed on the DNSBLs from smtp authentication, I need to move the permit_sasl_authenticated to the end of line.
But where do I have to set the smtpd_delay_reject = no setting?
Also in main.cf or in the master.cf?

Thanks in advance
Sebo
Click to expand...

If you use Postfix with main.cf would be OK.

Normally here:
/etc/postfix/main.cf
 
You must log in or register to reply here.

Similar threads

C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
551
Change Maker
C
carlsson
Issue Really strange problem – I can't use my SMTP server intermittently
Replies
2
Views
754
carlsson
carlsson
T
Issue Unbanning some IP addresses causes the server to be unresponsive
Replies
4
Views
388
TurabG
T
J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
916
josemanuuxd
J
tramvainqueur
Question Possible to use DNSBLs for moving identified email as spam to spam folder (not blocking)?
Replies
14
Views
829
tramvainqueur
tramvainqueur
Back
Top