Postfix 通过限制阻止 IP，而 iptables 不阻止垃圾邮件发送者 IP答案

【问题标题】：Postfix block IP via restrictions and iptables do not block spammer IPPostfix 通过限制阻止 IP，而 iptables 不阻止垃圾邮件发送者 IP
【发布时间】：2020-11-10 23:40:38
【问题描述】：

似乎我收到了很多来自俄罗斯的连接尝试，它们试图访问我的 Postfix 服务器。现在我试图在 Postfix 端和通过 iptables 阻止这个 IP 地址。

这是日志条目：

Jul 21 16:31:46 netcup postfix/smtps/smtpd[3347]: warning: unknown[193.35.48.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 21 16:31:46 netcup postfix/smtps/smtpd[3349]: warning: unknown[193.35.48.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 21 16:31:46 netcup postfix/smtps/smtpd[3347]: lost connection after AUTH from unknown[193.35.48.18]
Jul 21 16:31:46 netcup postfix/smtps/smtpd[3347]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Jul 21 16:31:46 netcup postfix/smtps/smtpd[3349]: lost connection after AUTH from unknown[193.35.48.18]
Jul 21 16:31:46 netcup postfix/smtps/smtpd[3349]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Jul 21 16:31:46 netcup postfix/smtps/smtpd[3347]: connect from unknown[193.35.48.18]
Jul 21 16:31:46 netcup postfix/smtps/smtpd[3349]: connect from unknown[193.35.48.18]
Jul 21 16:31:48 netcup postfix/smtps/smtpd[3347]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 21 16:31:48 netcup postfix/smtps/smtpd[3349]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 21 16:31:54 netcup postfix/smtps/smtpd[3349]: warning: unknown[193.35.48.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 21 16:31:54 netcup postfix/smtps/smtpd[3347]: warning: unknown[193.35.48.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 21 16:31:54 netcup postfix/smtps/smtpd[3349]: lost connection after AUTH from unknown[193.35.48.18]
Jul 21 16:31:54 netcup postfix/smtps/smtpd[3347]: lost connection after AUTH from unknown[193.35.48.18]
Jul 21 16:31:54 netcup postfix/smtps/smtpd[3349]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Jul 21 16:31:54 netcup postfix/smtps/smtpd[3347]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2

iptables 规则：

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     icmp --  anywhere             my.domain.com        icmp echo-request ctstate NEW,RELATED,ESTABLISHED
DROP       all  --  193.35.48.18         anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Postfix main.cf 中的限制：

# HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
    reject_unknown_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    permit_mynetworks,
    permit_sasl_authenticated,
    permit

# Sender restrictions:
smtpd_sender_restrictions =
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unknown_reverse_client_hostname,
    permit_mynetworks,
    permit_sasl_authenticated,
    permit
# Client restrictions
smtpd_client_restrictions =
  check_client_access hash:/etc/postfix/client_checks,
  permit

# Recipient restrictions:
smtpd_recipient_restrictions =
   check_sender_access hash:/etc/postfix/sender_access,
   reject_invalid_hostname,
   reject_unauth_pipelining,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   check_policy_service unix:private/policy-spf,
   reject_rhsbl_client blackhole.securitysage.com,
   reject_rhsbl_sender blackhole.securitysage.com,
   reject_rbl_client relays.ordb.org,
   reject_rbl_client blackholes.easynet.nl,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client proxies.blackholes.wirehub.net,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client opm.blitzed.org,
   reject_rbl_client dnsbl.njabl.org,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client multihop.dsbl.org,
   reject_rbl_client zen.spamhaus.org,
   permit_mynetworks,
   permit_sasl_authenticated,
   permit

client_checks 文件内容：

193.35.48.18    REJECT Your IP is spam

所有规则都不会阻止该 IP 地址访问 Postfix。我在这里做错了什么？

【问题讨论】：

标签： iptables postfix-mta

【解决方案1】：

你试过fail2ban吗？我打赌你会感到惊讶。我在 centos 7 上试过，效果很好。

在您的服务器中安装 fail2ban 软件包
启动并启用服务
将 jail.conf 复制到 jail.local
根据您的喜好设置 bantime 和 findtime。
激活/启用服务（postfix-sasl、postfix、postfix-rbl、sshd ) 您希望使用 fail2ban。并完成。

如果你在 centos7 上运行，你可以访问这个site 或this 站点，或者去debain 这个link，或者你可以谷歌并访问最能满足你安装fail2ban 要求的站点

【讨论】：