I am running zcs opensource version 8.8.10 on Ubuntu 16.04lts
In my /var/log/zimbra.log I am getting connections from unknown IPs to port 25
Here is an example
Code: Select all
Apr 30 06:04:21 mx1 postfix/anvil[25407]: statistics: max connection rate 1/60s for (smtpd:85.234.126.92) at Apr 30 05:54:30
Apr 30 06:04:21 mx1 postfix/anvil[25407]: statistics: max connection count 1 for (smtpd:85.234.126.92) at Apr 30 05:54:30
Apr 30 06:04:21 mx1 postfix/anvil[25407]: statistics: max cache size 4 at Apr 30 05:58:17
.......
Apr 30 06:04:48 mx1 postfix/postscreen[25405]: CONNECT from [213.221.224.122]:58241 to [MyInternalIP]:25
Apr 30 06:04:48 mx1 postfix/postscreen[25405]: PREGREET 11 after 0.06 from [213.221.224.122]:58241: EHLO User\r\n
Apr 30 06:04:48 mx1 postfix/smtpd[4021]: connect from 213-221-224-122.static.ftth.fcom.ch[213.221.224.122]
Apr 30 06:04:48 mx1 postfix/smtpd[4021]: disconnect from 213-221-224-122.static.ftth.fcom.ch[213.221.224.122] ehlo=1 quit=1 commands=2
Apr 30 06:04:55 mx1 postfix/postscreen[25405]: CONNECT from [85.234.126.92]:59355 to [MyInternalIP]:25
Apr 30 06:04:56 mx1 postfix/postscreen[25405]: PREGREET 11 after 0.15 from [85.234.126.92]:59355: EHLO User\r\n
Apr 30 06:04:56 mx1 postfix/smtpd[4021]: warning: hostname empty.stranzit.ru does not resolve to address 85.234.126.92: Name or service not known
Apr 30 06:04:56 mx1 postfix/smtpd[4021]: connect from unknown[85.234.126.92]
Apr 30 06:04:56 mx1 postfix/smtpd[4021]: disconnect from unknown[85.234.126.92] ehlo=1 quit=1 commands=2
I have also setup DosFilter using https://www.missioncriticalemail.com/20 ... -together/.
Here is my Fail2Ban filter. Is it correct?
Code: Select all
# Fail2Ban configuration file
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:
# .*\[ip=<HOST>;\] .* - authentication failed for .* \(invalid password\)
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Thanks