I need assistance with configuring the following:

  1. Add a second smtp port that only allows connections from authenticated users.
  2. Disable authentication on port 25 but only allow emails for local delivery.

The idea is added security through obscurity. I get too many brute force authentication attacks on port 25.

I had this working on my old server but am unsure how to implement it with mailcow.

Thanks,
Duane

  • Never mind, I figured it out.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

esackbauer

Here are my reasons for doing it this way:

  1. Most automated hacking tools aren’t going to scan for alternate ports.
  2. Reduces number of logged attempts making it easier to spot patterns.
  3. With a large enough IP pool fail2ban is a minor inconvenience.
  4. Ability to permanently firewall an offending IP yet still allow normal traffic to port 25 (not all ips are static).
  5. 2FA doesn’t work in all cases (web sites or applications needing to relay).

Obscurity doesn’t work by itself but combined with other tools it does greatly reduce the number of attacks.

I’ve had my server running this way for years and have yet to see any disadvantage. Having to change all my web site and client configurations would be a pita.

I was Hostmaster for a large (at the time) ISP in the 90’s and have run my own mail servers since (primarily Sendmail). I’m just not very familiar with dovecot/postfix or changes due to how they are incorporated into mailcow/docker.

Duane

esackbauer

It also makes it easier to block the more serious hackers. They have to scan the system to discover the port. This would be detected by an IDS which can then reroute them to a honey pot.

        Never mind, I figured it out.

        duaned Reduces number of logged attempts making it easier to spot patterns.

        I am using Wazuh for that.

        • nso likes this.
          No one is typing