NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

blacklistd not reacting to postfix/smtpd AUTH failures


Hi,

On this machine:

NetBSD senate.imil.net 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64

I have the following setup:

$ cat /etc/blacklistd.conf
[local]
domain          dgram   *       *               *       3       24h
smtp            stream  *       *               *       3       24h
submission      stream  *       *               *       3       24h
imaps           stream  *       *               *       3       24h
ssh             stream  *       *               *       3       24h

$ cat /etc/npf.conf

$ext = vioif0

set bpf.jit on;
alg "icmp"

table <blacklist> type ipset file "/etc/npf_blacklist"

group "external" on $ext {
        ruleset "blacklistd"
        block in final from <blacklist>
        pass final all
}

group default {
        pass final all
}

This works, i.e. blocks bruteforce attempts on ports 53 and 22, but
authentication failures on port 25 are not catched and thus no blacklisting
takes place:

$ sudo grep AUTH /var/log/maillog|tail -6
Aug  7 14:17:08 senate postfix/smtpd[16590]: lost connection after AUTH from unknown[78.128.113.116]
Aug  7 14:25:11 senate postfix/smtpd[3931]: lost connection after AUTH from unknown[78.128.113.116]
Aug  7 14:25:16 senate postfix/smtpd[3931]: lost connection after AUTH from unknown[78.128.113.116]
Aug  7 14:25:21 senate postfix/smtpd[7936]: lost connection after AUTH from unknown[78.128.113.116]
Aug  7 14:25:25 senate postfix/smtpd[3931]: lost connection after AUTH from unknown[78.128.113.116]
Aug  7 14:25:29 senate postfix/smtpd[7936]: lost connection after AUTH from unknown[78.128.113.116]

$ sudo grep blacklist /var/log/messages
Aug  7 12:38:04 senate blacklistd[1955]: released 1.192.90.183/32:53 after 86400 seconds
Aug  7 13:53:47 senate blacklistd[1955]: released 3.237.190.49/32:53 after 86400 seconds
Aug  7 14:05:09 senate blacklistd[1955]: blocked 3.235.107.224/32:53 for 86400 seconds

$ sudo blacklistctl dump -ab
        address/ma:port id      nfail   last access
 89.248.167.135/32:53           1/3     2020/08/07 02:23:22
  195.144.21.56/32:53           1/3     2020/08/07 06:57:38
  146.88.240.15/32:53           1/3     2020/08/06 16:39:09
  3.235.107.224/32:53   3       3/3     2020/08/07 14:05:09
 146.88.240.128/32:53           2/3     2020/08/06 21:51:36
2001:bc8:234c:1/128:22          1/3     2020/08/06 16:21:34
     71.6.232.7/32:53           1/3     2020/08/07 05:42:50
    80.82.65.90/32:53           2/3     2020/08/06 18:25:48
     74.82.47.2/32:53           1/3     2020/08/07 02:42:22
   146.88.240.4/32:53           1/3     2020/08/06 16:22:46
  193.29.15.169/32:53           2/3     2020/08/06 18:54:24
  185.232.65.36/32:53           1/3     2020/08/06 22:06:34
 192.35.168.251/32:53           1/3     2020/08/07 01:58:55
    185.50.66.1/32:53           1/3     2020/08/07 12:52:59

smtpd is indeed linked over libblacklist:

$ ldd /usr/libexec/postfix/smtpd |grep black
        -lblacklist.0 => /usr/lib/libblacklist.so.0

Anything I am missing here?

Thanks,

------------------------------------------------------------------------
Emile `iMil' Heitor <imil@{home.imil.net,NetBSD.org}> | https://imil.net


!DSPAM:5f2d57f9205059030080223!
Home | Main Index | Thread Index | Old Index