How to protect Zimbra against postfix AUTH DoS attacks

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2083
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: How to protect Zimbra against postfix AUTH DoS attacks

Postby L. Mark Stone » Fri Oct 21, 2016 9:17 pm

Xardas999 wrote:If I just add to jail.local
[zimbra]
enabled=true

and put this content to zimbra.conf

then fail2ban-client reload tells:
ERROR NOK: ("No 'host' group in '\\[ip=;\\] account \xe2\x80\x94 authentication failed for .* \\(no such account\\)$'",)


Sure, no problem!

The Zimbra portions of my jail.conf file look like this:

Code: Select all

# Zimbra
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=hiddenemailaddress.com]
logpath = /var/log/zimbra.log

[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=hiddenemailaddress.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 10

[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=hiddenemailaddress.com]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 10

[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=hiddenemailaddress.com]
logpath = /var/log/zimbra.log
#findtime = 604800
bantime = 172800
maxretry = 5

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=hiddenemailaddress.com]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5



Hope that helps,
Mark


___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
Xardas999
Posts: 8
Joined: Thu Oct 20, 2016 9:51 pm

Re: How to protect Zimbra against postfix AUTH DoS attacks

Postby Xardas999 » Fri Oct 21, 2016 10:15 pm

Oh, that's amazing, that helps a lot!

REMARK for people who are using firewalld instead of iptables:
you should change "iptables-allports" to "firewallcmd-allports" and
"iptables-multiport" to "firewallcmd-multiport" in the jail.local config file
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2083
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: How to protect Zimbra against postfix AUTH DoS attacks

Postby L. Mark Stone » Mon Oct 24, 2016 12:31 pm

Xardas999 wrote:Oh, that's amazing, that helps a lot!

REMARK for people who are using firewalld instead of iptables:
you should change "iptables-allports" to "firewallcmd-allports" and
"iptables-multiport" to "firewallcmd-multiport" in the jail.local config file


Glad we could help, and thanks for documenting the syntax change required when using firewalld instead of iptables!

With best regards,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 12 guests