View Single Post
  #9  
Old 29th March 2013, 16:28
arraken arraken is offline
Senior Member
 
Join Date: Mar 2010
Posts: 100
Thanks: 15
Thanked 5 Times in 5 Posts
Default

Thanks for the tipps guys!

I'll set up mail for ssl and try to move my clients over asap.

Concerning the fail2ban rules: i have some rules, following this tutorial:
http://scottlinux.com/2011/05/26/pre...x-brute-force/

So i got a rule for sasl that looks like this:

[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
maxretry = 3

When i check the logs with the command suggested by pititis "fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf" i dont get any results though.

But in the attack on my server, the user apparently logged in with the correct (hacked) password, so i guess the sasl rule doesn't trigger in that case, is that right?

@leonheart82: Can you tell me which sasl rule you use? I'm curious about that, as it seems to be working.

which fail2ban rules would be responsible to block a single account from sending huge amouts of mails? Or do i just need a simple postfix rule for that?

@compugraphix: do you have any suggestions for courier-pop3(-ssl), courier-imap(-ssl) and smtp settings for fail2ban, or a good tutorial? I found this one: http://www.howtoforge.de/anleitung/v...f-debian-etch/ but it's from 2007, and there's no smtp rule.


thanks again for the help. you never stop learning here.
Reply With Quote