[CentOS] Problem with mail server: stop flooding with fail2ban ?

Wed Mar 31 08:19:09 UTC 2021
Jamie Burchell <mail at jamieburchell.com>

I'm pretty sure I encountered this and needed to yum install cyrus-sasl-plain to resolve it.

> On 29 Mar 2021, at 20:31, Nicolas Kovacs <info at microlinux.fr> wrote:
> 
> Hi,
> 
> My main mail server is running CentOS 7 with Postfix and Dovecot.
> 
> Last week I was surprised to see that Postfix had some troubles on this
> machine, according to Icinga. I took a peek at the logs:
> 
> # journalctl -p err
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication
> mechanisms
> ...
> 
> And in /var/log/maillog I found a tsunami of these:
> 
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning:
> unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from
> unknown[45.227.253.115]
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from
> unknown[45.227.253.115]
> 
> My first reaction was to manually ban the IP addresses / networks which caused
> the flood, using my firewall:
> 
> # firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
> address='45.227.253.0/24' reject"
> # firewall-cmd --reload
> 
> I'm already using fail2ban in conjunction with firewalld to prevent brute force
> SSH attacks.
> 
> Q: can I use it in a similar configuration to stop Postfix from getting flooded
> and brought down to its knees?
> 
> Thanks & cheers from the sunny South of France,
> 
> Niki
> 
> -- 
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : info at microlinux.fr
> Tél. : 04 66 63 10 32
> Mob. : 06 51 80 12 12
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos