• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Resolved How to Block SMTP AUTH attempts using a RBL

Like I mentioned before you should be restricting access to outgoing ports 587 and 465 on the firewall anyway.
 
I did the steps before mentioned, it slow down the attempts, I still have some.

Thanks anyway for your info, don't get me wrong, I just want to know my original question:

My original question, is, "is there anyway to use DNSBL block list before SMTP AUTH attempts?"

Maybe someone have a solution exactly for this.
 
Try changing the order placing reject_rbl_client BEFORE permit_sasl_authenticated

Code: 
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated
 
danami said:
Try changing the order placing reject_rbl_client BEFORE permit_sasl_authenticated

Code: 
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated
Click to expand...
Just to confirm, yes it's working :)

Log example:
NOQUEUE: reject: RCPT from unknown[XXX.XX.XX.XX]: 554 5.7.1 Service unavailable; Client host [XXX.XX.XX.XX] blocked using (RBL List)

Thanks @danami !
 
Well... bad news, it works only for people trying to send mail, not for SASL AUTH/SMTP AUTH, they can still try to login without any problem being listed in the RBL/DNSBL
 
Are you sure that you didn't just revert your changes by editing the RBL's in the Plesk interface? Plesk used to have the RBLs listed before the permit_sasl_authenticated and people complained that they could not send email when listed so they changed the order around.
 
If I do the smtpd_delay_reject = no , then I can't send mail, got this in email client:

5.7.1 Client host rejected: Access denied

Below a fragment of maillog of how the attacker tries everytime without problem the SMTP AUTH:
Dec 24 01:14:08 sv postfix/smtps/smtpd[12538]: connect from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]
Dec 24 01:14:12 sv plesk_saslauthd[12816]: listen=6, status=5, dbpath='/XXX/XXXXX/XXXXX/XXXXXX/XXXXXXX.db', keypath='/XXX/XXX/XXXXX/XXXX/XXXXXXXkey', chroot=0, unprivileged=1
Dec 24 01:14:12 sv plesk_saslauthd[12816]: privileges set to (89:89) (effective 89:89)
Dec 24 01:14:12 sv plesk_saslauthd[12816]: No such user 'XXXXX@XXXX.com' in mail authorization database
Dec 24 01:14:12 sv plesk_saslauthd[12816]: failed mail authentication attempt for user 'XXXXX@XXXXX.com' (password len=9)
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: warning: xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: authentication failure
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: lost connection after AUTH from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX]
Dec 24 01:14:12 sv postfix/smtps/smtpd[12538]: disconnect from xxx-xxx-xxxx.xxxxx.xxxx[XXX.XXX.XXX.XXX] ehlo=1 auth=0/1 commands=1/2
 
Or maybe not ;)

I figure it our in master.cf commented some lines in submission, and now, I can send email, and I can confirm 100% attacker is being blocked before SASL using the DNSBL

Nice christmas gift after months fighting with them.

Thanks @danami and have a Happy Christmas !
 
Yes I thought it should of worked (that's why I was scratching my head). I'm glad that you have it sorted.
 
Hi ChrisMonder,

just to be sure, isn't it the same to enable it via Plesk -> Tools & Settings -> Mail Server Settings -> Turn on spam protection based on DNS blackhole lists and add your DNSBLs there?
Screenshot-Plesk-Mail-Server-Settings.png

Or is Plesk doing something different here?

When I check the /etc/postfix/main.cf, I can see a different order but don't know if that matters or not:
Code: 
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org

Best regards
Sebo
 
Sebo said:
Just to be sure, isn't it the same to enable it via Plesk -> Tools & Settings -> Mail Server Settings -> Turn on spam protection based on DNS blackhole lists and add your DNSBLs there?
Click to expand...
@Sebo, no. The DNSBL you configure in Plesk are used to rejected email messages from those who are listed on the DNSBLs. The configuration ChrisMonder described is used to rejected (smtp) authentication from those who are listed on the DNSBLs. Those are two different things.

Sebo said:
When I check the /etc/postfix/main.cf, I can see a different order but don't know if that matters or not:
Code: 
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org
Click to expand...

That's the default order for smtpd_client_restrictions and works fine for using DNSBL to rejected email messages.
 
Hi Rasp,

Thanks for your explanation!

So the order makes the difference here.
If I want to reject those who are listed on the DNSBLs from smtp authentication, I need to move the permit_sasl_authenticated to the end of line.
But where do I have to set the smtpd_delay_reject = no setting?
Also in main.cf or in the master.cf?

Thanks in advance
Sebo
 
Sebo said:
Hi Rasp,

Thanks for your explanation!

So the order makes the difference here.
If I want to reject those who are listed on the DNSBLs from smtp authentication, I need to move the permit_sasl_authenticated to the end of line.
But where do I have to set the smtpd_delay_reject = no setting?
Also in main.cf or in the master.cf?

Thanks in advance
Sebo
Click to expand...

If you use Postfix with main.cf would be OK.

Normally here:
/etc/postfix/main.cf
 
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
majdi draouil
Question How to Block Direct IP Access and Ensure All Traffic Routes Through Cloudflare
Replies
1
Views
772
Raul A.
R
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
2K
Change Maker
C
T
Issue Unbanning some IP addresses causes the server to be unresponsive
Replies
4
Views
1K
TurabG
T
carlsson
Issue Really strange problem – I can't use my SMTP server intermittently
Replies
2
Views
1K
carlsson
carlsson
Back
Top