Re: blacklistd not reacting to postfix/smtpd AUTH failures

[christos%astron.com@localhost (Christos Zoulas)]

In article <alpine.NEB.2.21.2008071503400.19803%senate.imil.net@localhost>,
Emile `iMil' Heitor  <imil%home.imil.net@localhost> wrote:
>
>Hi,
>
>On this machine:
>
>NetBSD senate.imil.net 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28
>UTC 2020 
>mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>
>I have the following setup:
>
>$ cat /etc/blacklistd.conf
>[local]
>domain          dgram   *       *               *       3       24h
>smtp            stream  *       *               *       3       24h
>submission      stream  *       *               *       3       24h
>imaps           stream  *       *               *       3       24h
>ssh             stream  *       *               *       3       24h
>
>$ cat /etc/npf.conf
>
>$ext = vioif0
>
>set bpf.jit on;
>alg "icmp"
>
>table <blacklist> type ipset file "/etc/npf_blacklist"
>
>group "external" on $ext {
>         ruleset "blacklistd"
>         block in final from <blacklist>
>         pass final all
>}
>
>group default {
>         pass final all
>}
>
>This works, i.e. blocks bruteforce attempts on ports 53 and 22, but
>authentication failures on port 25 are not catched and thus no blacklisting
>takes place:
>
>$ sudo grep AUTH /var/log/maillog|tail -6
>Aug  7 14:17:08 senate postfix/smtpd[16590]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug  7 14:25:11 senate postfix/smtpd[3931]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug  7 14:25:16 senate postfix/smtpd[3931]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug  7 14:25:21 senate postfix/smtpd[7936]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug  7 14:25:25 senate postfix/smtpd[3931]: lost connection after AUTH
>from unknown[78.128.113.116]
>Aug  7 14:25:29 senate postfix/smtpd[7936]: lost connection after AUTH
>from unknown[78.128.113.116]
>
>$ sudo grep blacklist /var/log/messages
>Aug  7 12:38:04 senate blacklistd[1955]: released 1.192.90.183/32:53
>after 86400 seconds
>Aug  7 13:53:47 senate blacklistd[1955]: released 3.237.190.49/32:53
>after 86400 seconds
>Aug  7 14:05:09 senate blacklistd[1955]: blocked 3.235.107.224/32:53 for
>86400 seconds
>
>$ sudo blacklistctl dump -ab
>         address/ma:port id      nfail   last access
>  89.248.167.135/32:53           1/3     2020/08/07 02:23:22
>   195.144.21.56/32:53           1/3     2020/08/07 06:57:38
>   146.88.240.15/32:53           1/3     2020/08/06 16:39:09
>   3.235.107.224/32:53   3       3/3     2020/08/07 14:05:09
>  146.88.240.128/32:53           2/3     2020/08/06 21:51:36
>2001:bc8:234c:1/128:22          1/3     2020/08/06 16:21:34
>      71.6.232.7/32:53           1/3     2020/08/07 05:42:50
>     80.82.65.90/32:53           2/3     2020/08/06 18:25:48
>      74.82.47.2/32:53           1/3     2020/08/07 02:42:22
>    146.88.240.4/32:53           1/3     2020/08/06 16:22:46
>   193.29.15.169/32:53           2/3     2020/08/06 18:54:24
>   185.232.65.36/32:53           1/3     2020/08/06 22:06:34
>  192.35.168.251/32:53           1/3     2020/08/07 01:58:55
>     185.50.66.1/32:53           1/3     2020/08/07 12:52:59
>
>smtpd is indeed linked over libblacklist:
>
>$ ldd /usr/libexec/postfix/smtpd |grep black
>         -lblacklist.0 => /usr/lib/libblacklist.so.0
>
>Anything I am missing here?

Can you try this?

christos

Index: smtpd.c
===================================================================
RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v
retrieving revision 1.17
diff -u -u -r1.17 smtpd.c
--- smtpd.c	18 Mar 2020 19:05:20 -0000	1.17
+++ smtpd.c	10 Aug 2020 14:21:48 -0000
@@ -5795,6 +5795,8 @@
 		   || strcmp(state->reason, REASON_LOST_CONNECTION)) {
 	    msg_info("%s after %s from %s",
 		     state->reason, state->where, state->namaddr);
+	    if (strcmp(state->where, SMTPD_CMD_AUTH) == 0)
+		pfilter_notify(1, vstream_fileno(state->client));
 	}
     }