Submission behaviour

20 Jun 2023

      Hi,
I have used fail2ban for a while, to block brute force attacks on ssh, imap(s) or submission(s) ports.
More because I wanted to reduce the noise in the logs rather than a fear of a broken password.
Then, with nftables, I realised you can achieve the same thing, as long as a TCP connection isn't close. This works very
well for SSH, but I then realised it works for a modern IMAP server that supports IDLE, since the connection is kept
open, for instance the excellent Dovecot mail server.
Here an example, of nftable ruleset, for dovecot imap(s):

table inet filter {
set banned_imap_ipv4 {
    type ipv4_addr
    flags dynamic,timeout
    timeout 1d
}

set banned_imap_ipv6 {
    type ipv6_addr
    size 65535
    flags dynamic,timeout
    timeout 1d
}

chain input {

    # Limit new imap connections ala fail2ban
    meta nfproto ipv4 tcp dport imaps ct state new,untracked \
    limit rate over 10/minute add @banned_imap_ipv4 { ip saddr }

    meta nfproto ipv6 tcp dport imaps ct state new,untracked \
    limit rate over 10/minute add @banned_imap_ipv6 { ip6 saddr }

    # Reject the traffic explicitly
    ip saddr @banned_imap_ipv4 tcp dport imaps reject with icmp type admin-prohibited
    ip6 saddr @banned_imap_ipv6 tcp dport imaps reject with icmpv6 type admin-prohibited

    tcp dport { imap, imaps } ct state new counter accept \
    comment "Accept imap/imaps connections"

}
}
Surprisingly, this is working very well with Dovecot, and various modern clients like Evolution or Thunderbird, as well
as K9 on Android.
There is also a way to save the rules before restarting the firewall, which works very well as well:

# nft list set inet filter banned_imap_ipv4
table inet filter {
set banned_imap_ipv4 {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1d
elements = { 162.142.125.214 timeout 1d expires 23h44m16s600ms }
}
}
Now, the question I have is this.
I can limit new TCP connections to a reasonable amount, like 10 per minute, because I know I will not try to send that
amount of emails from a single IP.
However, is there an option, in Postfix, to keep the TCP connection opened for submission(s) protocols (ports 465 or
587)
Thanks for your insights.

André Rodier

}

# nft list set inet filter banned_imap_ipv4 table inet filter { set banned_imap_ipv4 { type ipv4_addr size 65535 flags dynamic,timeout timeout 1d elements = { 162.142.125.214 timeout 1d expires 23h44m16s600ms } } }

tags

participants (1)