Date: Mon, 7 Oct 2019 18:56:52 +0200 From: Per Hedeland <per@hedeland.org> To: Tim Daneliuk <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: sendmail/saslauthd Domain Blocking Message-ID: <eea0fbc1-dd04-966d-d41b-8a29f39604e0@hedeland.org> In-Reply-To: <2fc80d5e-0092-77b3-e6c1-f5bbb38e72fe@tundraware.com> References: <2fc80d5e-0092-77b3-e6c1-f5bbb38e72fe@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2019-10-07 16:48, Tim Daneliuk wrote: > I block unwanted domains from sending mail to one of our servers by > putting it on the reject list in /etc/mail/access. > > I am seeing distributed brute force attempts to use that same > server as a relay. These are coming from a few domains. > So far, these attempts have failed but I'd like to be proactive in > preventing future such intrusions. > > Is there an equivalent way to block entire domains and/or subdomains > from ever even connecting to saslauthd? I'm not sure exactly what you're asking, since you seem to already have the answer... At least in the context of sendmail (and I believe it is the same in other contexts), no external entities connect directly to saslauthd, only sendmail does that. So you need to reject connections from those domains to sendmail - which you can do with e.g. access_db a.k.a. /etc/mail/access. E.g. an entry Connect:example.com REJECT will reject connections from hosts that have an IP address that reverse-resolves to anything in the example.com domain. See /usr/share/sendmail/cf/README for the details. Of course using a firewall of your choice (ipf/pf/ipfw) may be an alternative, to block the connections before they even reach sendmail - they can't work with "domains", but IP address ranges may be equally useful. --Per Hedeland
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eea0fbc1-dd04-966d-d41b-8a29f39604e0>