1 rain6966发表 最后由 rain6966 (2018-01-26 19:17:22) 编辑

  • 注册日期: 2012-04-12
  • 文章数: 206

主题: 加強修改postfix.iredmail.conf

1).
使用此設定:

[url]https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/fail2ban/filter.d/postfix.iredmail.conf[/url]

# diff 1 2

13c13
< Failregex: 120 total
---
> Failregex: 133 total
68c68
< |   3) [69] postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO)
---
> |   3) [82] PREGREET ([0-9]{1,3}) .* from \[<HOST>\]:([0-9]{4,5}:)?(.*) .*$
73a74,77
> |      123.59.60.110  Tue Dec 19 23:15:18 2017
> |      123.59.60.110  Tue Dec 19 23:15:21 2017
> |      112.117.17.42  Thu Dec 21 01:18:48 2017
> |      139.162.99.243  Thu Dec 21 02:06:06 2017
88a93,94
> |      210.201.136.13  Tue Dec 26 14:57:33 2017
> |      110.185.170.146  Tue Dec 26 19:16:05 2017
101a108,109
> |      123.59.60.110  Wed Jan 03 14:17:25 2018
> |      123.59.60.110  Wed Jan 03 14:17:28 2018
104a113
> |      220.175.61.17  Thu Jan 04 10:12:48 2018
106a116
> |      124.235.138.249  Tue Jan 09 06:18:48 2018
131a142,143
> |      123.59.60.110  Thu Jan 18 03:17:33 2018
> |      123.59.60.110  Thu Jan 18 03:17:36 2018
137a150
> |      210.201.136.13  Fri Jan 26 14:55:44 2018
161,162c174,175
< Lines: 149143 lines, 0 ignored, 120 matched, 149023 missed
< [processed in 8.55 sec]
---
> Lines: 149143 lines, 0 ignored, 133 matched, 149010 missed
> [processed in 8.89 sec]
164c177
< Missed line(s): too many to print.  Use --print-all-missed to print all 149023 lines
---
> Missed line(s): too many to print.  Use --print-all-missed to print all 149010 lines

1檔 為 iRedMail 在bitbucket 上的設定.
2檔 為自己先前的設定.

查看 123.59.60.110 的log

Jan 18 03:17:33 mail postfix/postscreen[12606]: CONNECT from [123.59.60.110]:39922 to [10.10.10.10]:25
Jan 18 03:17:33 mail postfix/postscreen[12606]: BLACKLISTED [123.59.60.110]:39922
Jan 18 03:17:33 mail postfix/postscreen[12606]: PREGREET 295 after 0.01 from [123.59.60.110]:39922: \22\3\1\1"\1\0\1\30\3\3\1343\238b\23\174\238\223\28^VYf\22\253r\19?\226v1\188\189\184\245H\175\145r\
Jan 18 03:17:33 mail postfix/postscreen[12606]: CONNECT from [123.59.60.110]:34059 to [10.192.176.16]:25
Jan 18 03:17:33 mail postfix/postscreen[12606]: BLACKLISTED [123.59.60.110]:34059
Jan 18 03:17:33 mail postfix/postscreen[12606]: BARE NEWLINE from [123.59.60.110]:39922 after \22\3\1\1"\1\0\1\30\3\3\1343\238b\23\174\238\223\28^VYf\22\253r\19?\226v1\188\189\184\245H\175\145r\226\235\135\0\0\136\1920\192,\192(\192$\192\20\192
Jan 18 03:17:33 mail postfix/postscreen[12606]: COMMAND PIPELINING from [123.59.60.110]:39922 after ????"?: \0\163\0\159\0k\0j\0009\0008\0\136\0\135\1922\192.\192*\192&\192\15\192\5\0\157\0=\0005\0\132\192\18\192\b\0\22\0\19\192\r\192\3\0\n\192/\192+\192'\192#\192\19\192\t\0\162\0\158\0g\0@\0003\0002\0\154\0\153\0E\0D\1921\192-\192)\192%\192\14\192\4\0\156\0<\0/
Jan 18 03:17:33 mail postfix/postscreen[12606]: HANGUP after 0 from [123.59.60.110]:39922 in tests after SMTP handshake
Jan 18 03:17:33 mail postfix/postscreen[12606]: DISCONNECT [123.59.60.110]:39922
Jan 18 03:17:36 mail postfix/postscreen[12606]: PREGREET 3 after 3.1 from [123.59.60.110]:34059: \255\253\1
Jan 18 03:17:40 mail postfix/postscreen[12606]: HANGUP after 3.2 from [123.59.60.110]:34059 in tests after SMTP handshake
Jan 18 03:17:40 mail postfix/postscreen[12606]: DISCONNECT [123.59.60.110]:34059

確實無法擋到, 若是去掉 (EHLO|HELO) , 則抓到的結果,兩條rule是一樣的.

但我覺得還是有問題:
在公司外部的使用者以筆電(或遠端電腦),要新建使用帳號時會發生 被擋到 .

Jan 25 18:04:32 mail postfix/postscreen[13246]: CONNECT from [219.80.xx.yy]:15135 to [10.10.10.10]:25
Jan 25 18:04:32 mail postfix/postscreen[13246]: CONNECT from [219.80.xx.yy]:64281 to [10.10.10.10]:25
Jan 25 18:04:32 mail postfix/submission/smtpd[13245]: connect from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]
Jan 25 18:04:32 mail postfix/submission/smtpd[13252]: connect from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]
Jan 25 18:04:32 mail postfix/submission/smtpd[13245]: improper command pipelining after EHLO from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]: QUIT\r\n
Jan 25 18:04:32 mail postfix/submission/smtpd[13245]: disconnect from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]
Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:15135: EHLO we-guess.mozilla.org\r\nQUIT\r\n
Jan 25 18:04:32 mail postfix/submission/smtpd[13252]: improper command pipelining after EHLO from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]: QUIT\r\n
Jan 25 18:04:32 mail postfix/submission/smtpd[13252]: disconnect from 219-80-xx-yy.static.tfn.net.tw[219.80.xx.yy]
Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:64281: EHLO we-guess.mozilla.org\r\nQUIT\r\n
Jan 25 18:04:32 mail postfix/postscreen[13246]: COMMAND PIPELINING from [219.80.xx.yy]:15135 after EHLO: QUIT\r\n
Jan 25 18:04:32 mail postfix/postscreen[13246]: DISCONNECT [219.80.xx.yy]:15135
Jan 25 18:04:32 mail postfix/postscreen[13246]: COMMAND PIPELINING from [219.80.xx.yy]:64281 after EHLO: QUIT\r\n
Jan 25 18:04:32 mail postfix/postscreen[13246]: DISCONNECT [219.80.xx.yy]:64281

上述是使用TB 在遠端電腦上新建帳號的log .
Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:64281: EHLO we-guess.mozilla.org\r\nQUIT\r\n
兩條rule 皆會抓到.


2).
現在我是新增此rule:

"HANGUP after [0-9]\.[0-9]* from \[<HOST>]:\d+ ?in tests (after|before)"

可抓 52 個IP 比postfix.iredmail.conf的 69個IP 少.

漏掉IP 其log 如下 ; 其一連結即斷線未有任何動作, 也許可不管它.

# grep -1 '103.255.177.76' /var/log/maillog

Jan 13 18:11:46 mail clamd[1635]: SelfCheck: Database status OK.
Jan 13 18:17:17 mail postfix/postscreen[12382]: CONNECT from [103.255.177.76]:49299 to [10.10.10.10]:25
Jan 13 18:17:17 mail postfix/postscreen[12382]: PREGREET 13 after 0 from [103.255.177.76]:49299: EHLO ubuntu\r\n
Jan 13 18:17:17 mail postfix/postscreen[12382]: DISCONNECT [103.255.177.76]:49299
Jan 13 18:21:46 mail clamd[1635]: SelfCheck: Database status OK.
--
Jan 13 19:41:46 mail clamd[1635]: SelfCheck: Database status OK.
Jan 13 19:48:00 mail postfix/postscreen[12571]: CONNECT from [103.255.177.76]:50211 to [10.10.10.10]:25
Jan 13 19:48:00 mail postfix/postscreen[12571]: PREGREET 13 after 0 from [103.255.177.76]:50211: EHLO ubuntu\r\n
Jan 13 19:48:01 mail postfix/postscreen[12571]: DISCONNECT [103.255.177.76]:50211
Jan 13 19:51:46 mail clamd[1635]: SelfCheck: Database status OK.
--
Jan 13 21:28:33 mail postfix/anvil[12915]: statistics: max cache size 1 at Jan 13 21:25:13
Jan 13 21:28:46 mail postfix/postscreen[12929]: CONNECT from [103.255.177.76]:42388 to [10.10.10.10]:25
Jan 13 21:28:46 mail postfix/postscreen[12929]: PREGREET 13 after 0 from [103.255.177.76]:42388: EHLO ubuntu\r\n
Jan 13 21:28:47 mail postfix/postscreen[12929]: DISCONNECT [103.255.177.76]:42388

目前也手動 加入ignoreip , 不知版主有其他更好的方法?

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 加強修改postfix.iredmail.conf

可否将你修改过的完整 postfix.iredmail.conf 贴一下?

目前我在客户的 iRedMail load-balance cluster 上使用了 bitbucket 版本的 postfix.iredmail.conf,有效 block 了非常大量的来自中国大陆的肉机(以使用 ylmf-pc 作为 EHLO 为主),但确实没有预料到 Thunderbird 被 block 的情况。

可能的一个方案是:在 postfix.iredmail.conf 的 "ignoreregex =" 参数里加入 Thunderbird 的 log 作为例外情况。

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 加強修改postfix.iredmail.conf

发现 Thunderbird 与此 issue 的相关问题已经在 7 年前就被提出了:
https://bugzilla.mozilla.org/show_bug.cgi?id=538809

引用如下:

3. Thunderbird is NOT waiting for the banner before sending EHLO. My server says 'SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org"'

这个问题是造成该 fail2ban 问题的原因。按照 RFC 规定,MUA/MTA 要等待对方返回 greeting/banner 信息后再执行下一个 smtp command,但是 Thunderbird 没有等待。而 Postfix postscreen log 里的 PREGREET (pre greeting)标记就是这个问题的记录。

从上面的链接的最新回复来看,应该是 TB 最新版本仍然有这个问题。烦请 update 该 bug 提醒 mozilla 团队去解决这个问题。
从根源解决总比我们在下游修修补补来得彻底。

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 加強修改postfix.iredmail.conf

ZhangHuangbin 写道:

烦请 update 该 bug 提醒 mozilla 团队去解决这个问题。

我在原 bug report 里加了个 comment,希望 mozilla 团队能尽快修复:
https://bugzilla.mozilla.org/show_bug.cgi?id=538809#c41

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 加強修改postfix.iredmail.conf

ZhangHuangbin 写道:

可能的一个方案是:在 postfix.iredmail.conf 的 "ignoreregex =" 参数里加入 Thunderbird 的 log 作为例外情况。

可否在你的 postfix.iredmail.conf 里加上以下 ignoreregex 来忽略 TB?

ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org

6 rain6966回复 最后由 rain6966 (2018-01-29 10:10:22) 编辑

  • 注册日期: 2012-04-12
  • 文章数: 206

回复: 加強修改postfix.iredmail.conf

版主對不起,現才回覆:

1).

ZhangHuangbin 写道:
ZhangHuangbin 写道:

可能的一个方案是:在 postfix.iredmail.conf 的 "ignoreregex =" 参数里加入 Thunderbird 的 log 作为例外情况。

可否在你的 postfix.iredmail.conf 里加上以下 ignoreregex 来忽略 TB?

ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org

測試結果:
"ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org"

此參數放在 "ignoreregex =" 是無效的,仍會被抓到(沒有ignore)  ;
但放在  "failregex =" ,只加此rule ,是有效的,有抓到:

Failregex: 6 total
|-  #) [# of hits] regular expression
|   1) [6] postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess\.mozilla\.org.*$
|      219.80.xx.yy  Sun Jan 14 21:07:13 2018
|      219.80.xx.yy  Sun Jan 14 21:07:13 2018
|      219.80.xx.yy  Thu Jan 25 18:00:14 2018
|      219.80.xx.yy  Thu Jan 25 18:00:14 2018
|      219.80.xx.yy  Thu Jan 25 18:04:32 2018
|      219.80.xx.yy  Thu Jan 25 18:04:32 2018
`-

Ignoreregex: 0 total

難道是 fail2ban 的bug?

2).

rain6966 写道:

1).

查看 123.59.60.110 的log

Jan 18 03:17:33 mail postfix/postscreen[12606]: PREGREET 295 after 0.01 from [123.59.60.110]:39922: \22\3\1\1"\1\0\1\30\3\3\1343\238b\23\174\238\223\28^VYf\22\253r\19?\226v1\188\189\184\245H\175\145r\

Jan 18 03:17:36 mail postfix/postscreen[12606]: PREGREET 3 after 3.1 from [123.59.60.110]:34059: \255\253\1

上面的log ,  無 (EHLO|HELO) ,故
" postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO)"
仍無法抓到 .

所以是否有其他方法,還是讓其pass ? 還是用我的 rule ? 請版主裁定.

若要使用上面我提到的 rule , 今早查看 log ,仍須再修正為:

HANGUP after [0-9](\.[0-9]|\d+)* from \[<HOST>]:\d+ ?in tests (after|before)

因:"HANGUP after 0 from" 為"0" 時抓不到 ;
若以 "postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO)"
來抓也抓不到 , 因其 helo 是小寫.

Jan 28 19:44:25 mail postfix/postscreen[7371]: CONNECT from [114.221.126.195]:24729 to [10.10.10.10]:25
Jan 28 19:44:25 mail postfix/postscreen[7371]: PREGREET 12 after 0 from [114.221.126.195]:24729: ehlo hello\r\n
Jan 28 19:44:26 mail postfix/dnsblog[7378]: addr 114.221.126.195 listed by domain zen.spamhaus.org as 127.0.0.11
Jan 28 19:44:26 mail postfix/dnsblog[7378]: addr 114.221.126.195 listed by domain zen.spamhaus.org as 127.0.0.4
Jan 28 19:44:26 mail postfix/postscreen[7371]: DNSBL rank 13 for [114.221.126.195]:24729
Jan 28 19:44:26 mail postfix/postscreen[7371]: COMMAND PIPELINING from [114.221.126.195]:24729 after ehlo: help\r\n\r\n
Jan 28 19:44:26 mail postfix/postscreen[7371]: HANGUP after 0 from [114.221.126.195]:24729 in tests after SMTP handshake
Jan 28 19:44:26 mail postfix/postscreen[7371]: DISCONNECT [114.221.126.195]:24729

3).
postfix.iredmail.conf 我是把其拆為2檔 ,因先前iRedMail 是沒有針對 postscreen 的過慮管制,我是自己加的.(我應會把其合併)
postfix-ired.conf:

[INCLUDES]
before = common.conf

[Definition]
failregex = reject: RCPT from \S+\[<HOST>\]: 450 4.1.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1 Service unavailable.*$
            reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1 (.*): Relay access denied.*$
            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname.*$
            reject: VRFY from (.*)\[<HOST>\]: 550 5.1.1 .*$
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 .*$
            warning: Illegal address syntax from (.*)\[<HOST>\] in (RCPT|MAIL) command.*$
            lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\].*$
            ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$


ignoreregex =

[Init]
#backend = polling
##journalmatch = _SYSTEMD_UNIT=postfix.service
#journalmatch =

postfix-poscr.conf:      "#" 為註解 ,先前使用兩條rule : "HANGUP" 及 "PREGREET"

[INCLUDES]
before = common.conf
[Definition]

failregex =
#先前設定         HANGUP after [0-9]\.[0-9]* from \[<HOST>]:\d+ ?in tests after SMTP handshake$
#先前設定         HANGUP after [0-9]\.[0-9]* from \[<HOST>]:\d+ ?in tests before SMTP handshake$
#          HANGUP after [0-9]\.[0-9]* from \[<HOST>]:\d+ ?in tests (after|before)
           HANGUP after [0-9](\.[0-9]|\d+)* from \[<HOST>]:\d+ ?in tests (after|before)

#          postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO)
#
#版主設定,放此可抓到          postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess\.mozilla\.org.*$

#先前設定          PREGREET ([0-9]{1,3}) .* from \[<HOST>\]:([0-9]{4,5}:)?(.*) .*$
#先前設定          PREGREET ([0-9]{1,3})* after (0\.[0-9]{1,2}) from \[<HOST>\]:([0-9]{4,5}:)?(.*) .*$


ignoreregex =
#版主設定,抓不到
#ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org

PS: 版主 ;CentOS Nginx 的rule ,下一iRedMail版本有更新?(加強管制功能), 下為我目前的設定,僅請參考:
nginx-http-auth.conf

[INCLUDES]

# Load regexes for filtering
before = botsearch-common.conf


[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
            ^<HOST> -.*GET http.*
            ^<HOST> .*\"(\\\S|\\)x\d\d\\.*\" 400 .+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .*\" 404 .+$
            ^<HOST> .*\"POST .*\" 405 .+$
            ^<HOST> -.*GET.*(\.asp|\.aspx|\.aspix|\.exe|\.cgi|\scgi)

            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) .*?$

             ^ \[error\] \d+#\d+: \*\d+ .*?forbidden(\,| .*) client: <HOST>

             ^ \[error\] \d+#\d+: \*\d+ ?FastCGI sent in stderr: .*?client: <HOST>

ignoreregex =

[Init]
backend = polling
journalmatch =

jail的設定, 我改回繼續使用 jail.local  檔

[nginx-http-auth]
enabled         = true
port            = http,https
#logpath        = %(nginx_error_log)s
logpath         = %(nginx_log)s

paths-common.conf

nginx_log = %(syslog_nginx)s
nginx_backend = %(default_backend)s

paths-fedora.conf

syslog_nginx = /var/log/nginx/*.log

感謝版主回覆.

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 加強修改postfix.iredmail.conf

一帖里讨论的内容太多,必须细化并拆分到各自独立的 forum thread 里去,我现在已经被你搞得头大了。。。

我原计划的 postfix.iredmail.conf 是这样的:

[Definition]
# *) '554 5.7.1' is 'Helo command rejected: ACCESS DENIED'
#
#   'ACCESS DENIED' is string defined in postfix restriction rule `check_helo_access`.
#   no all rules contains 'ACCESS DENIED', so we use status code insead.
#
# *) 'postscreen[\d+]: PREGREET .* from \[<HOST>\]:\d+: EHLO .*\r\n'
#
#    remote SMTP client speaks before its turn within the time specified with
#    the `postscreen_greet_wait` parameter in Postfix main.cf.

failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
            lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]
            reject: RCPT from .*\[<HOST>\]: .*: Relay access denied
            reject: RCPT from .*\[<HOST>\]: .*: Sender address rejected: Domain not found
            reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: Host not found
            reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: need fully-qualified hostname
            reject: RCPT from .*\[<HOST>\]: 554 5.7.1
            reject: RCPT from .*\[<HOST>\]:\d+: 550 5.5.1 Protocol error
            warning: Illegal address syntax from (.*)\[<HOST>\] in RCPT command
            postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+:

# while setting up new account, Thunderbird doesn't wait for server connection
# greeting/banner, this causes Thunderbird cannot pass the Postfix pregreet
# test and caught by `fail2regex` listed above (the rule contains 'PREGREET')
# https://bugzilla.mozilla.org/show_bug.cgi?id=538809#c41
ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org

在 failregex 里尽管抓各种 PREGREET 的 log,但在 ignoreregex 里则排除掉 Thunderbird。

注意:我猜测你可能运行 fail2ban-regex 命令做测试是这样的:

fail2ban-regex <log-file> <filter-file>

如果要同时测试 ignoreregex,必须再指定第 3 个参数作为 ignoreregex:

fail2ban-regex <log-file> <filter-file> <ignoreregex-file>

也就是:

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.iredmail.conf /etc/fail2ban/filter.d/postfix.iredmail.conf

可否确认一下你的测试是否正确?如果不正确,可否再重新测试一次?谢谢。

8 rain6966回复 最后由 rain6966 (2018-01-30 23:22:26) 编辑

  • 注册日期: 2012-04-12
  • 文章数: 206

回复: 加強修改postfix.iredmail.conf

ZhangHuangbin 写道:

一帖里讨论的内容太多,必须细化并拆分到各自独立的 forum thread 里去,我现在已经被你搞得头大了。。。

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.iredmail.conf /etc/fail2ban/filter.d/postfix.iredmail.conf

可否确认一下你的测试是否正确?如果不正确,可否再重新测试一次?谢谢。

感谢版主的指導:
我忘記 fail2ban-regex 的測試 ,有關 ignoreregex 的測試須加兩次 filter 參數 .
確實可跳過 .

Lines: 162118 lines, 8 ignored, 256 matched, 161854 missed
[processed in 17.75 sec]

|- Ignored line(s):
|  Jan 14 21:07:13 mail postfix/postscreen[18432]: PREGREET 33 after 0.21 from [219.80.xx.yy]:13685: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 14 21:07:13 mail postfix/postscreen[18432]: PREGREET 33 after 0.21 from [219.80.xx.yy]:13687: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 25 18:00:14 mail postfix/postscreen[13076]: PREGREET 33 after 0.04 from [219.80.xx.yy]:55933: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 25 18:00:14 mail postfix/postscreen[13076]: PREGREET 27 after 0.04 from [219.80.xx.yy]:35427: EHLO we-guess.mozilla.org\r\n
|  Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:15135: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 25 18:04:32 mail postfix/postscreen[13246]: PREGREET 33 after 0.11 from [219.80.xx.yy]:64281: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 29 10:35:17 mail postfix/postscreen[22871]: PREGREET 33 after 0.03 from [192.168.1.10]:1885: EHLO we-guess.mozilla.org\r\nQUIT\r\n
|  Jan 29 10:35:17 mail postfix/postscreen[22871]: PREGREET 33 after 0.02 from [192.168.1.10]:1887: EHLO we-guess.mozilla.org\r\nQUIT\r\n
`-

所以我會修正上面有關postfix的rule設定.

感謝.

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 加強修改postfix.iredmail.conf

谢谢帮忙测试。下面这个将是最终的 postfix.iredmail.conf:

[Definition]
# *) '554 5.7.1' is 'Helo command rejected: ACCESS DENIED'
#
#   'ACCESS DENIED' is string defined in postfix restriction rule `check_helo_access`.
#   no all rules contains 'ACCESS DENIED', so we use status code insead.
#
# *) 'postscreen[\d+]: PREGREET .* from \[<HOST>\]:\d+: EHLO .*\r\n'
#
#    remote SMTP client speaks before its turn within the time specified with
#    the `postscreen_greet_wait` parameter in Postfix main.cf.

failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
            lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]
            reject: RCPT from .*\[<HOST>\]: .*: Relay access denied
            reject: RCPT from .*\[<HOST>\]: .*: Sender address rejected: Domain not found
            reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: Host not found
            reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: need fully-qualified hostname
            reject: RCPT from .*\[<HOST>\]: 554 5.7.1
            reject: RCPT from .*\[<HOST>\]:\d+: 550 5.5.1 Protocol error
            warning: Illegal address syntax from (.*)\[<HOST>\] in RCPT command
            postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+:

# while setting up new account, Thunderbird doesn't wait for server connection
# greeting/banner, this causes Thunderbird cannot pass the Postfix pregreet
# test and caught by `failregex` rules listed above (the rule contains
# 'PREGREET' line).
# FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=538809#c41
ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org
  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 加強修改postfix.iredmail.conf

有个小建议:最好是将 PREGREET 相关的两条 (failregex + ignoreregex)单独做一个 jail,并且 maxretry 设置为 1 (或者 2,3,看你自己的需要)。这样可以以最快的速度 ban 掉这些 bad clients。

  • 注册日期: 2012-04-12
  • 文章数: 206

回复: 加強修改postfix.iredmail.conf

暸解.

Thanks.