• Slavko via Exim-users [2022-06-24 06:08]:
[...]
> That is pretty simple, just add this IP to firewall's DROP. To automatize
> its banning, use fail2ban. But be aware, that they will often try from
> other IP soon. I have 100 - 800 different IPs per day, most of them
> has only one attempt allowed here, it is some thousands of IPs in last
> 24 days (maximum ipset timeout) from whole word.
I've found AuthBL from Spamhaus and Abusix to be very useful. Anything
blocked attempts from anything listed there is getting added to host's
firewall within 5 mins (to avoid logspam):
acl_check_auth:
deny
!encrypted = *
message = Server policy requires encrypted connection
accept
hosts = +relay_hosts : +permit_hosts
deny
message = Sender host blocked (source: DNS)
log_message = Sender host blocked (source: AuthBL)
dnslists = +exclude_unknown : XYZ.authbl.dq.spamhaus.net
delay = 60s
deny
message = Sender host blocked (source: DNS)
log_message = Sender host blocked (source: Abusix)
dnslists = +exclude_unknown : XYZ.authbl.mail.abusix.zone
delay = 60s
accept
> I am happy, that i long time ago decided to separate MX & MSA roles
> even for my small email system, which allow me simple reject
> "EHLO User" (and other strict rules) on MX port's 25, which are common
> on MSA.
I tend to make my MUAs say "EHLO there" or "EHLO world" :)
