3

I have a very low volume postfix install on my mail server. In fact, I am the only person receiving mails from it, albeit from a few different domains and mailboxes.

Yesterday alone there were 811 warnings (52 unique host/IP) following this pattern:

[...]warning: hostname <HOSTNAME> does not resolve to address <IP>: Name or service not known

Looking at the hostnames, they seem to be all spam related. For yesterday at least.

My question is, is there any reason why I shouldn't add a regex to my fail2ban postfix.local to ban the IP addresses reported in these lines?

Is it fair to expect all my client hostnames to resolve to the correct client IP addresses?

Tiksi
  • 141

1 Answers1

1

Found this years later via google, since I wanted the same thing. It seems the error is a bit misleading, and this is actually due to a failed reverse lookup; at least in my case:

I was seeing a hacker attempting to bruteforce postfix logins (visible via tshark -Y smtp), and they would always open the SMTP session with EHLO User rather than an identifying hostname. This warning was being spammed to my logs because postfix found a reverse PTR DNS lookup from the source IP of the attacker to a hostname which pointed to another IP. So the error is actually saying that the forward lookup doesn't match the reverse lookup, and the hostname listed in the message is not the client which connected.

I created a new jail in fail2ban to deal with this and automatically ban any such attackers by dropping all packets from them. Unfortunately I found the fail2ban developers docs and website pretty unhelpful, but I managed to figure it out by looking at existing examples (especially the built-in postfix jail).

The following instructions are for Debian 10 so YMMV.

First I set up the filter in /etc/fail2ban/filter.d/postfix-dns.conf:

# Fail2Ban filter for postfix hostname resolution failures

[INCLUDES]


before = common.conf


[Definition]


_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]


failregex = ^%(__prefix_line)swarning: hostname \S+ does not resolve to address <HOST>$


ignoreregex =


[Init]


journalmatch = _SYSTEMD_UNIT=postfix.service

and checked that the regex is right:

fail2ban-regex -v 'Jul  8 18:35:32 coral postfix/smtpd[22514]: warning: hostname evil.attacker.com does not resolve to address 1.2.3.4' postfix-dns

The option -v makes fail2ban-regex show which IP was extracted by the <HOST> expression.

Setting up the local jail requires creating /etc/fail2ban/jail.d/postfix-dns.conf:

[postfix-dns]
logpath = %(postfix_log)s
backend = %(postfix_backend)s

enabled = true

To submit this upstream, this would have to go in /etc/fail2ban/jail.conf except for the enabled = true line, and then users would put

[postfix-dns]
enabled = true

in /etc/jail.d/postfix-dns.conf to enable the jail.

Finally, I created /etc/fail2ban/jaild.d/bantime.conf containing:

[DEFAULT]
bantime = 1day

because the default ban time of 10 minutes was way too short for my tastes.

8bc3 457f
  • 103
Adam Spiers
  • 291