Home / server / Questions / 1155907
Accepted
admfotad
Asked: 2024-03-08 16:02:47 +0800 CST

postfix with dovecot : many authentication failures

  • 772

I have installed postfix with dovecot and after while i have found tons of authentication failures from internet. I have installed and configured fail2ban and every not authenticated IP is banned but maybe there is other solution or maybe i'm doing something wrong.

Log example:

Mar  8 08:48:01 somehostname auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=news rhost=45.88.90.208  user=news

Is there any other solutions to disable login/connection for clients from internet and enable only from local net ? - there is no need to retrieve emails from internet for clients in my case. Maybe there is other solution ?

Dovecot sample configuration in postfix main.cf:

smtpd_sasl_type = dovecot

Thank you in advance AD

postfix

2 Answers

  1. Best Answer

    You could disable SASL authentication on SMTP port 25 altogether, as authenticated users should be using submissions a.k.a. Implicit TLS for SMTP Submission (RFC 8314, 3.3), instead.

    • In main.cf: smtpd_sasl_auth_enable = no (default)

    • Override the SASL authentication related settings in master.cf for smptd instance smtps/465, e.g.,

      smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o { smtpd_recipient_restrictions=
           reject_non_fqdn_recipient,
           reject_unknown_recipient_domain,
           permit_sasl_authenticated,
           reject
     }

    After that you could limit the port 465 for local networks in a firewall.

    • 2

  2. You may restrict imap ports 143,465,587,993 with iptables to LAN only.

    • 0