[Users] [ Zimbra / Postfix ] limit connexion per smtp connection authentified
Justin Petermann
jp at exoca.fr
Fri Dec 9 17:14:54 CET 2022
Hello,
We have a recurrent problem with corrupted password account over smtp. (2 times after a f..king phishing last week, IPs reputation take a lot)
Postfix permit to send multiple message over one connexion after authentification (same without, but the real problem is with authentification).
For example :
send: 'ehlo dante.exoca.fr\r\n'
reply: b'250-lab-zimbra-spam.exoca.fr\r\n'
reply: b'250-PIPELINING\r\n'
reply: b'250-SIZE 10240000\r\n'
reply: b'250-VRFY\r\n'
reply: b'250-ETRN\r\n'
reply: b'250-STARTTLS\r\n'
reply: b'250-AUTH LOGIN PLAIN\r\n'
reply: b'250-AUTH=LOGIN PLAIN\r\n'
reply: b'250-ENHANCEDSTATUSCODES\r\n'
reply: b'250-8BITMIME\r\n'
reply: b'250-DSN\r\n'
reply: b'250 CHUNKING\r\n'
reply: retcode (250); Msg: b'lab-zimbra-spam.exoca.fr\nPIPELINING\nSIZE 10240000\nVRFY\nETRN\nSTARTTLS\nAUTH LOGIN PLAIN\nAUTH=LOGIN PLAIN\nENHANCEDSTATUSCODES\n8BITMIME\nDSN\nCHUNKING'
send: 'AUTH PLAIN xxxXXXXXxxxx\r\n'
reply: b'235 2.7.0 Authentication successful\r\n'
reply: retcode (235); Msg: b'2.7.0 Authentication successful'
send: 'mail FROM:<jp at lab-zimbra-spam.exoca.fr> size=81\r\n'
reply: b'250 2.1.0 Ok\r\n'
reply: retcode (250); Msg: b'2.1.0 Ok'
send: 'rcpt TO:<jp at lab-zimbra-spam.exoca.fr>\r\n'
reply: b'250 2.1.5 Ok\r\n'
reply: retcode (250); Msg: b'2.1.5 Ok'
send: 'data\r\n'
reply: b'354 End data with <CR><LF>.<CR><LF>\r\n'
reply: retcode (354); Msg: b'End data with <CR><LF>.<CR><LF>'
data: (354, b'End data with <CR><LF>.<CR><LF>')
send: b'Subject: Envoi 2022-12-09T16:33:40.031235 0\r\n\r\nEnvoi 2022-12-09T16:33:40.031235 0\r\n.\r\n'
reply: b'250 2.0.0 Ok: queued as 15EBE83C54\r\n'
reply: retcode (250); Msg: b'2.0.0 Ok: queued as 15EBE83C54'
data: (250, b'2.0.0 Ok: queued as 15EBE83C54')
send: 'mail FROM:<jp at lab-zimbra-spam.exoca.fr> size=81\r\n'
reply: b'250 2.1.0 Ok\r\n'
reply: retcode (250); Msg: b'2.1.0 Ok'
send: 'rcpt TO:<jp at lab-zimbra-spam.exoca.fr>\r\n'
reply: b'250 2.1.5 Ok\r\n'
reply: retcode (250); Msg: b'2.1.5 Ok'
send: 'data\r\n'
reply: b'354 End data with <CR><LF>.<CR><LF>\r\n'
reply: retcode (354); Msg: b'End data with <CR><LF>.<CR><LF>'
data: (354, b'End data with <CR><LF>.<CR><LF>')
send: b'Subject: Envoi 2022-12-09T16:33:40.031235 1\r\n\r\nEnvoi 2022-12-09T16:33:40.031235 1\r\n.\r\n'
reply: b'250 2.0.0 Ok: queued as 18A7A83C59\r\n'
reply: retcode (250); Msg: b'2.0.0 Ok: queued as 18A7A83C59'
data: (250, b'2.0.0 Ok: queued as 18A7A83C59')
send: 'mail FROM:<jp at lab-zimbra-spam.exoca.fr> size=81\r\n'
reply: b'250 2.1.0 Ok\r\n'
reply: retcode (250); Msg: b'2.1.0 Ok'
send: 'rcpt TO:<jp at lab-zimbra-spam.exoca.fr>\r\n'
reply: b'250 2.1.5 Ok\r\n'
reply: retcode (250); Msg: b'2.1.5 Ok'
send: 'data\r\n'
reply: b'354 End data with <CR><LF>.<CR><LF>\r\n'
reply: retcode (354); Msg: b'End data with <CR><LF>.<CR><LF>'
data: (354, b'End data with <CR><LF>.<CR><LF>')
send: b'Subject: Envoi 2022-12-09T16:33:40.031235 2\r\n\r\nEnvoi 2022-12-09T16:33:40.031235 2\r\n.\r\n'
reply: b'250 2.0.0 Ok: queued as 1B22E83C60\r\n'
reply: retcode (250); Msg: b'2.0.0 Ok: queued as 1B22E83C60'
data: (250, b'2.0.0 Ok: queued as 1B22E83C60')
send: 'quit\r\n'
reply: b'221 2.0.0 Bye\r\n'
reply: retcode (221); Msg: b'2.0.0 Bye'
You can try this python code :
#!/usr/bin/env python3
import smtplib
import time
import datetime
host = ' lab-zimbra-spam.exoca.fr '
username = 'jp at lab-zimbra-spam.exoca.fr'
password = 'xxxXXXXxxxx'
fromaddr = username
toaddrs = [ username ]
server = smtplib . SMTP ( f"{host}:587" )
#server.starttls()
#server = smtplib.SMTP_SSL( f"{host}:465" )
server . set_debuglevel ( 1 )
server . login ( username , password )
count = 3
pool = datetime . datetime . now (). isoformat ()
for i in range ( count ):
subject = content = f "Sended message { pool } { i } "
msg = f "Subject: { subject } \n\n { content } "
server . sendmail ( fromaddr , toaddrs , msg )
server . quit ()
in local, no problem to send 500 emails in 3 seconds...
Like is an only one connexion, after the connexion and auth done, auth is not need. Lock account do nothing. The tcp connexion is established so blacklist IP from firewall do nothing. we must do a "zmmtactl stop" and "zmmtactl start" (zmmtactl reload don't kill the connection). We could certainly make a postfix stop / start.
It seems that should be smtp cache connection :
[ https://www.postfix.org/CONNECTION_CACHE_README.html | https://www.postfix.org/CONNECTION_CACHE_README.html ]
But disabling theses options do nothing:
- smtp_connection_cache_on_demand = no
- smtp_connection_cache_destinations = hotmail.com (to limit the destination domain)
but also :
- smtpd_client_connection_rate_limit=2
- smtpd_client_message_rate_limit=2
the Problem is that sould be in connection cache but the solution seems to be elsewhere.
Is any body already as this problem ? find a solution ?
best regards, [ https://www.exoca.fr/ ]
Justin
PETERMANN
Développement web & Services hébergés
[ https://www.google.com/maps/place/EXOCA+-+Solutions+Web+et+H%C3%A9bergement/@49.8941485,2.3065799,15z/data=!4m5!3m4!1s0x0:0x6c8a0774bc1607ff!8m2!3d49.8941485!4d2.3065799 | 8/10, rue Jean XXIII, 80000 AMIENS ]
+33(0)3 22 22 05 85 / +33(0)6 61 25 76 06
[ mailto:%20jp at exoca.fr | jp at exoca.fr ]
[ https://www.exoca.fr/ | www.exoca.fr ]
Les e-mails que je pourrais envoyer pendant les périodes de repos ou de congés ne requiàrent pas de réponse immédiate.
Ce message et toutes les pièces jointes sont établis à l'attention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20221209/943dc2c8/attachment-0001.html>
More information about the Users
mailing list