Blocking access to Postfix SMTP service based on IP reputation

May 23, 2023    Blog Post

IP reputation measures the behavioral quality of an IP address and how many unwanted requests it sends.

This is another very simple plugin for Postfix SMTP server to block access from IPs which have bad reputation. We are living in very denger times and even small and simple script like this one, can make you and your server more secure.

This script use data and API provided by AbuseIPDB project. API is free up to 3000 checks per day so if your SMTP server is quite busy, you will have to look for paid access.

Installation & configuration

  • Clone repository to /opt directory 
    git clone https://github.com/monsoft/abichecker.git
  • Instal curl and jq application on your system
    Debian/Ubuntu: 
    sudo apt install -y curl jq

    Red Hat/CentOs/Rocky Linux/AlmaLinux:

    sudo dnf install -y curl jq
  • Create account on AbuseIPDB project website and create API Key by going to AbuseIPDB->User Account->API and clieck Create Key.
  • Copy API Key and modify variable TOKEN in abichecker.sh script.
  • Add below lines to the end of Postfix master.cf file: 
    abichecker   unix  -       n       n       -       0       spawn
user=abichecker argv=/opt/abichecker/abichecker.sh
  • Add below line to Postfix main.cf file under smtpd_client_restrictions : 
    smtpd_client_restrictions = 
...
check_policy_service unix:private/abichecker
  • Crete system user & group: 
    sudo adduser --quiet --system --group --no-create-home --home /nonexistent abichecker
  • Restart Postfix service
  • Check your Postfix logs

After some times you can check logs for lines like this one:

NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 521 5.7.1 <unknown[x.x.x.x]>: Client host rejected: Bad host reputation.; from=<spameri@tiscali.it> to=<spameri@tiscali.it> proto=ESMTP helo=<xxxxxxxx>

This mean that check found IP which already exist in AbuseIPDB database and its reputation is equal or higher than 50% (this can be changed in script by tweaking variable ABUSE_SCORE) then reject connetion from that IP.

Sometimes IPs of legitimaed services like MS Outlook are reported to AbuseIPDB by automatic reports. To allow reciving emails from these domains, you can whitelist them by adding them to file hostname domain whitelist.txt located in /opt/abichecker/. One domain/subdomain per line:

phx.paypal.com
outbound.protection.outlook.com

Debuging Postfix

Sometimes you may find yourself in situation that require to see what Postfix is doing on lower level (happen to me multiple times during writing check policy service scripts). To do this, edit master.cf file and add option -v to smtp line so it will looks like this:

smtp      unix  -       -       n       -       -       smtp -v

After saving this file, restart postfix service. Try to send few emails to your mail server and check your Postfix log file. It will be much bigger than usual and it will be growing fast.
When you finish your investigation, remove added -v from smtp line.

Participate in AbuseIPDB Project

This ofcouse is optional, but if you for example use Fail2ban software, you can help in AbuseIPDB Project by configuring Fail2ban to report IPs that show the malicious signs. This will benefit you and all of us using this project.

Related Posts
May 22, 2024
Dynamic MOTD on Raspberry Pi and Odroid
May 21, 2024
OpenWrt on BT Openreach VG3503J Modem
March 3, 2023
Informal acme.sh DNS API plugin for Crazy Domain DNS provider