Bot tries to hack Postfix “soft bruteforce”

MK796

Hello 👋,

For 3-4 weeks now a bot tries to guess valid smtp users and their passwords. So far nothing happened with one exclusion where it got really close. Fortunately all tries failed because of failed authentication.

But I wonder how to protect against attacks that are forged to bypass fail2ban?

I’m not talking about randomized 32 character alphanumeric and special character passwords.

Thank you ☺️

esackbauer

Welcome to the internet 😉

There is no remedy to cure weak passwords.
Please enable 2FA and use App passwords for each client.

I have disabled all protocols and direct SOGo login in mailcow for each user, that means each user must sign in into mailcows UI first with 2FA and then clicks on Webmail. Then SOGo opens without the need to sign in again.
All other client software must then be configured with safe app passwords. The good thing is you do not need to store those, if you need to reconfigure a client simply create a new password.

maybl8

Let’s say they do get in. What is the worst they could do?
One other thing you could do and no one here would probably recommend it is block the ip or ip range with iptables. Just a suggestion.
Thanks

MK796

maybl8 they could send legit mails using my domain…

As you said there are some downsides of doing it like that…

[unknown] 2FA is already enabled for all users.

The part with the app passwords is really interesting! That means I essentially creating OTP’s?

[unknown] 2FA is already enabled for all users.

The part with the app passwords is really interesting! That means I essentially creating OTP’s?

esackbauer

This is where you could try to add blocklists like abuseipdb.com
https://community.mailcow.email/d/4527-massive-bruteforce-attacke-seit-wochen/24

esackbauer

MK796 The part with the app passwords is really interesting! That means I essentially creating OTP’s?

No, its the opposite of OTPs (which are used for 2FAs). Hence they must be complex and are only used during setup of the clients. and never saved somewhere else like password manager.

maybl8

MK796 they could send legit mails using my domain…

Wouldn’t this mean they would be using you as a relay and doesn’t mailcow prevent this?

MK796

maybl8
No. When they are high jacking any legit account they can send legit mails directly from my Mailserver and therefor are not using it as an open relay.

[unknown] okey got it!

Easy to remember password for the UI and securing it via 2FA

and then using complex app passwords for mail clients.

maybl8 in other words when they are guessing the correct user/pw combination then they are able to log into this legit account like you/I do via a client and can use it like me. That’s the potential thread here.

Also when they are correct with guessing they are also able to read all you have sent/recieved

MK796

Hello!

I thought I link a post thats solves this exact problem:
https://community.mailcow.email/d/4527-massive-bruteforce-attacke-seit-wochen/26

Its in German but I think a translator will do it 😉

Cheers!