Repository files navigation

• Postfwd GeoIP Botnet Block Plugin
  • Plugin Compatibility Matrix
  • Running with Docker
  • Installation
    • Dependencies
      • Dependencies on RedHat based distributions
      • Dependencies on Debian based distributions
  • Configuration
    • Postfwd configuration
    • Database backend configuration
    • Application configuration
    • Logging
  • Useful database queries
  • Development and testing
    • Prototyping with Docker
    • Running tests

This is a plugin to postfix firewallpostfwd (also located ongithub) intended to block international spam botnets. International spam botnets are logging into hacked mail addresses via sasl login from multiple IP addresses based in usually more than 30 unique countries. After successful login, the hackers send spam from huge amount of unique IP addresses which circumvents traditional rate limits per IP address.

If you are interested in theory about how botnet spam works and motivation for creating this plugin, look at the blog onMedium.

If you are interested in how your users got their mail accounts hacked, check outbsdly blog about slow distributed brute force attack on SSH passwords, which also applies to pop3/imap loginsHail Mary Cloud.

• Supported database backends areMySQL andPostgreSQL.

To list changed between versions check release notes or look into theChangelog.

Pre-built ready-to-use Docker image is located on DockerHub and can be simply pulled by command:

# postfwd3 tagsdocker pull lirt/postfwd-anti-geoip-spam-plugin:v2.0.0# postfwd1, postfwd2 tagsdocker pull lirt/postfwd-anti-geoip-spam-plugin:v1.21

To run postfwd with geoip-plugin, run docker with configuration files mounted as volumes:

docker run \    -v</absolute/path/to/anti-spam.conf>:/etc/postfwd/anti-spam.conf \    -v</absolute/path/to/postfwd.cf>:/etc/postfwd/postfwd.cf \    lirt/postfwd-anti-geoip-spam-plugin:v2.0.0

This will runpostfwd2 orpostfwd3 (based on docker tag) with default arguments, reading postfwd rules file from your mounted volume filepostfwd.cf and using anti-spam configuration from your fileanti-spam.conf.

To install this plugin follow next steps:

• Clone this repository.
• Install dependencies according to chapterDependencies.
• Run scriptinstall.sh to install plugin into/etc/postfix/.
• To load plugin you must add argument--plugins <PATH TO PLUGIN> to postfwd command (or update it in/etc/default/postfwd).
• Configure postfwd rules according to chapterPostfwd configuration.
• Create database table with indexes using following SQL statements (database is created on plugin startup but indexes cannot be).

CREATETABLEIF NOT EXISTS postfwd_logins (   sasl_usernamevarchar(100),   ip_addressvarchar(45),   state_codevarchar(4),   login_countint,   last_logintimestamp);CREATEINDEXpostfwd_sasl_client_state_indexON postfwd_logins (sasl_username, ip_address, state_code);CREATEINDEXpostfwd_sasl_usernameON postfwd_logins (sasl_username);

• Postfwd2 orPostfwd3.
• Database (MySQL orPostgreSQL).
• Perl modules -Geo::IP,DBI,Time::Piece,Config::Any,Net::Subnet,DBD::mysql orDBD::Pg.
• GeoIP database (GeoIP version 1 in releases before2.0.0 or GeoIP version 2 since release2.0.0).

You can install all dependencies using cpanm with single commandcpanm --installdeps .

InstallGeoIP,Time,Config,DBI and database modules with following command:

yum install -y'perl(Geo::IP)' \'perl(Time::Piece)' \'perl(Config::Any)' \'perl(DBI)' \'perl(DBD::mysql)' \'perl(DBD::Pg)' \'perl(Net::Subnet)' \'perl(GeoIP2::Database::Reader)' \'perl(Net::SSLeay)' \'perl(IO::Socket::SSL)' \'perl(LWP::Protocol::https)' \'perl(Class::XSAccessor)' \'perl(MaxMind::DB::Reader::XS)' \'perl(Readonly)' \'perl(Data::Validate::IP)'

InstallGeoIP,Time,Config,DBI and database modules with following command:

apt-get install -y libgeo-ip-perl \                   libtime-piece-perl \                   libconfig-any-perl \                   libdbi-perl \                   libdbd-mysql-perl \                   libdbd-pg-perl \                   libnet-subnet-perl \                   geoip-database \                   libnet-ssleay-perl \                   libio-socket-ssl-perl \                   liblwp-protocol-https-perl \                   libclass-xsaccessor-perl \                   libmaxmind-db-reader-xs-perl \                   libgeoip2-perl \                   libreadonly-perl \                   libdata-validate-ip-perl

Plugin configuration fileanti-spam.conf is INI style configuration file, in which values must NOT be quoted!

Add following rules to postfwd configuration filepostfwd.cf. You can use your own message and value of parameters:

• client_uniq_country_login_count: Sets maximum number of unique countries to allow user to log in using sasl.
• client_uniq_ip_login_count: Sets maximum number of unique IP addresses to allow user to log in using sasl.

# Anti spam botnet rule:#   This example shows how to limit e-mail address defined by `sasl_username`#   to be able to login from max. 5 different countries or 20 different IP#   addresses, otherwise it will be blocked from sending messages.id=BAN_BOTNET_COUNTRY;   sasl_username=~^(.+)$;   client_uniq_country_login_count> 5;   action=rate(sasl_username/1/3600/554 Your mail account ($$sasl_username) was compromised. Please change your password immediately after next login.);id=BAN_BOTNET_IP;   sasl_username=~^(.+)$;   client_uniq_ip_login_count> 20;   action=rate(sasl_username/1/3600/554 Your mail account ($$sasl_username) was compromised. Please change your password immediately after next login.);

Update configuration file/etc/postfix/anti-spam.conf with your credentials to selected database backend. Don't forget to use proper driver and port.

In case you use different path such as/etc/postfix/anti-spam.conf and/etc/postfix/anti-spam-sql-st.conf to main configuration file, export environment variablesPOSTFWD_ANTISPAM_MAIN_CONFIG_PATH andPOSTFWD_ANTISPAM_SQL_STATEMENTS_CONFIG_PATH with your custom path.

[database]# driver = Pgdriver = mysqldatabase = testhost = localhost# port = 5432port = 3306userid = testuserpassword = password

The plugin is by default configured to remove records for users with last login date older than 24 hours. This interval can be changed in configurationapp.db_flush_interval.

Plugin looks by default for GeoIP database file in path/usr/local/share/GeoIP/GeoLite2-Country.mmdb. You can override this path in configurationapp.geoip_db_path.

You can whitelist set of IP addresses or subnets in CIDR format by using configuration settingapp.ip_whitelist. Whitelisting means, that if client logs into email account from IP address, which IS in whitelist, it will NOT increment login count for this pair ofsasl_username|client_address.

[app]# flush database records with last login older than 1 daydb_flush_interval = 86400geoip_db_path = /usr/local/share/GeoIP/GeoLite2-Country.mmdb# IP whitelist must be valid comma separated strings in CIDR format without whitespaces.# it specifies IP addresses which will NOT be counted into user logins database.ip_whitelist = 198.51.100.0/24,203.0.113.123/32# ip_whitelist_path = /etc/postfwd/ip_whitelist.txt

Plugin is by default logging into standard output. This can be changed in configuration file by setting value forlogging.logfile.

You can disable logging completely by updating value of statementlogging.enable to0.

[logging]# enable(1) or disable(0) loggingenable = 1# remove statement `logfile`, or set it to empty `logfile = ` to log into STDOUTlogfile = /var/log/postfwd_plugin.logautoflush = 0# make log after exceeding unique country count limitcountry_limit = 5# make log after exceeding unique ip count limitip_limit = 20

If you uselogrotate to rotate anti-spam logs, use optioncopytruncate which preventslogging errors when log file is rotated.

Plugin stores interesting statistical information in the database. To query those statistics you can use predefined SELECTs located in separate fileDB-Queries.md.

Complete development environment with postfwd, anti-spam plugin and mysql/postgresql database configured together can be run with single command from directorytests/:

• PostgreSQL:export POSTFWD_ANTISPAM_MAIN_CONFIG_PATH=/etc/postfwd/01-dev-anti-spam-postgres-geoip2.conf; docker-compose -f compose-dev-postgresql.yml up
• MySQL:export POSTFWD_ANTISPAM_MAIN_CONFIG_PATH=/etc/postfwd/02-dev-anti-spam-mysql-geoip2.conf; docker-compose -f compose-dev-mysql.yml up

Note for overriding postfwd arguments:

• Most important arguments to runpostfwd in Docker are--stdout and--nodaemon. These arguments configure postfwd to log into standard output and stay in foreground.
• For running postfwd plugin, you also need to set argument--plugins <path-to-plugin> to correct location of plugin.

MaxMind test databasetests/GeoLite2-Country-Test.mmdb was downloaded fromMaxMind-DB repository.

Check for proper linting withperlcritic postfwd-anti-spam.plugin.

Run plugin as mentioned inPrototyping with Docker and send SMTP requests to postfwd policy server, or use testing script to check functionality:

# manually send postfwd requestexport CLIENT_ADDRESS='1.2.3.4'export SASL_USERNAME='testuser@example.com'nc 127.0.0.1 10040<<(envsubst< dev-request)