Difference between revisions of "Coping With Postfix Mail Server Attacks"
Line 1: | Line 1: | ||
− | See Also: | + | There are a number of different attacks possible. You might encounter a [[Brute Force Dictionary Attack on Dovecot]] or a basic mail relay attack. Those are only two common examples out of many possibilities. This article deals with relay attacks. |
+ | |||
+ | Related / See Also: | ||
* [[Postfix Tips and Tricks]] | * [[Postfix Tips and Tricks]] | ||
* [[Postfix Help]] | * [[Postfix Help]] | ||
Line 6: | Line 8: | ||
* [[Fail2Ban]] | * [[Fail2Ban]] | ||
+ | == Mail Relay Attack == | ||
+ | |||
+ | Assuming you are _not_ running an open relay, there are attacks which may seek to verify the relay or to attempt delivery to local users. | ||
=== Too many "smtp -t unix -u" processes === | === Too many "smtp -t unix -u" processes === | ||
Line 44: | Line 49: | ||
Someone is attacking your email server. The server is spawning too many smtp processes and is slow or nearly not responsive. | Someone is attacking your email server. The server is spawning too many smtp processes and is slow or nearly not responsive. | ||
− | Lets verify. Check the mail queue. | + | Lets verify. Check the mail queue using either 'postqueue -p' or 'mailq' command. |
mailq | mailq | ||
You can find a lot of useful commands like mailq in our [[Postfix Tips and Tricks]] page. | You can find a lot of useful commands like mailq in our [[Postfix Tips and Tricks]] page. |
Revision as of 14:59, 8 April 2015
There are a number of different attacks possible. You might encounter a Brute Force Dictionary Attack on Dovecot or a basic mail relay attack. Those are only two common examples out of many possibilities. This article deals with relay attacks.
Related / See Also:
- Postfix Tips and Tricks
- Postfix Help
- Brute Force Dictionary Attack on Dovecot
- Block SMTP Authentication Attacks With Fail2Ban
- Fail2Ban
Mail Relay Attack
Assuming you are _not_ running an open relay, there are attacks which may seek to verify the relay or to attempt delivery to local users.
Too many "smtp -t unix -u" processes
1005 ? S 0:00 smtp -t unix -u 1006 ? S 0:00 smtp -t unix -u 1007 ? S 0:00 smtp -t unix -u 1008 ? S 0:00 smtp -t unix -u 1009 ? S 0:00 smtp -t unix -u 1010 ? S 0:00 smtp -t unix -u 1011 ? S 0:00 smtp -t unix -u 1012 ? S 0:00 smtp -t unix -u 1013 ? S 0:00 smtp -t unix -u 1014 ? S 0:00 smtp -t unix -u 1015 ? S 0:00 smtp -t unix -u 1016 ? S 0:00 smtp -t unix -u 1017 ? S 0:00 smtp -t unix -u 1018 ? S 0:00 smtp -t unix -u 1019 ? S 0:00 smtp -t unix -u 1020 ? S 0:00 smtp -t unix -u 1021 ? S 0:00 smtp -t unix -u 1022 ? S 0:00 bounce -z -n defer -t unix -u 1023 ? S 0:00 smtp -t unix -u 1024 ? S 0:00 smtp -t unix -u 1025 ? S 0:00 smtp -t unix -u 1026 ? S 0:00 smtp -t unix -u 1027 ? S 0:00 smtp -t unix -u 1028 ? S 0:00 smtp -t unix -u 1030 ? S 0:00 smtp -t unix -u 1031 ? S 0:00 smtp -t unix -u 1032 ? S 0:00 smtp -t unix -u 1033 ? S 0:00 smtp -t unix -u 1034 ? S 0:00 smtp -t unix -u 1035 ? S 0:00 smtp -t unix -u 1036 ? S 0:00 smtp -t unix -u 1038 ? S 0:00 dovecot/pop3-login
Someone is attacking your email server. The server is spawning too many smtp processes and is slow or nearly not responsive.
Lets verify. Check the mail queue using either 'postqueue -p' or 'mailq' command.
mailq
You can find a lot of useful commands like mailq in our Postfix Tips and Tricks page.
You might see lots of entries that look similar to this:
4790F2C0DD7 2898 Mon Apr 6 13:08:07 MAILER-DAEMON (connect to bny234.rayinsuranceclearly.ninja[94.228.216.234]:25: Connection timed out) Angela.Sloan@bny234.rayinsuranceclearly.ninja
They might say "Connection timed out" or "Connection refused"
437AC2C07BB 9359 Tue Apr 7 18:05:33 MAILER-DAEMON (connect to 1fxxn8s.eiroeir.eu[8.39.223.104]:25: Connection refused) HawaiiVacationDeals@eiroeir.eu
You're going to see a lot of forged addresses. In this example, HawaiiVacationDeals@eiroeir.eu is clearly forged.
The IMMEDIATE plan:
(1.) REGAIN CONTROL If the mail server is nearly unresponsive, you can 'killall smtp' or purge the mail queue
postsuper -d ALL
This is just to get control over your system back.
(2.) BLOCK THE OFFENDING NETWORK or NETWORKS
iptables
(3.) TAKE PREVENTATIVE MEASURES
You can prevent future attacks by using some commonsense mail server settings for postfix and implementing a tool like fail2ban