This is another very simple plugin for Postfix SMTP server to block access from IPs which have bad reputation. We are living in very danger times and even small and simple script like this one, can make you and your server more secure.
This script use data and API provided by AbuseIPDB project. API is free up to 3000 checks per day so if your SMTP server is quite busy, you will have to look for paid access.
- Clone repository to /opt directory
git clone https://github.com/monsoft/abichecker.git
- Setup executable bit on
abichecker.sh
script:
cd /opt/abichecker
chmod 755 abichecker.sh
- Instal curl and jq application on your system
Debian/Ubuntu:
sudo apt install -y curl jq
Red Hat/CentOs/Rocky Linux/AlmaLinux:
sudo dnf install -y curl jq
- Create account on AbuseIPDB project and create API Key by going to
AbuseIPDB->User Account->API
and clickCreate Key
. - Copy API Key and modify variable
TOKEN
inabichecker.sh
script. - Add below lines to the end of Postfix master.cf file:
abichecker unix - n n - 0 spawn
user=abichecker argv=/opt/abichecker/abichecker.sh
- Add below line to Postfix
main.cf
file undersmtpd_client_restrictions
:
smtpd_client_restrictions =
...
check_policy_service unix:private/abichecker
- Crete system user & group:
sudo adduser --quiet --system --group --no-create-home --home /nonexistent abichecker
- Restart Postfix service
- Check your Postfix logs
After some times you can check logs for lines like this one:
Feb 9 11:12:47 mail1 abichecker[6761]: Email from host unknown[x.x.x.x] denied. Abuse Score 71%.
NOQUEUE: reject: RCPT from unknown[x.x.x.x]: 521 5.7.1 <unknown[x.x.x.x]>: Client host rejected: Bad host reputation.; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<xxxxxxxx>
This mean that check found IP which already exist in AbuseIPDB database and its reputation is equal or higher than 70% (this can be changed in script by tweaking variable ABUSE_SCORE
) then reject connection from that IP.
Sometimes IPs of legitimate services like MS Outlook are reported to AbuseIPDB by automatic reports. To allow receiving emails from these domains, you can whitelist them by adding them to file hostname domain whitelist.txt
located in /opt/abichecker/
. One domain/subdomain per line:
phx.paypal.com
outbound.protection.outlook.com
To reduce the number of queries to the AbuseIPDB API, caching has been introduced. I haven't think about this initially, but I got request from Matsmcp (Thanks !!!) to add this option to the script and I think that it was good idea.
To clear cached IPs, cron job have to be created for abichecker user:
0 0 * * * find /tmp/abichecker/cache/ -type f -mtime +0 -delete
This runs once a day at midnight and remove all files older than 24 hours from cache location /tmp/abichecker/cache/
. You can adjust it to suits your needs.
Sometimes you may find yourself in situation that require to see what Postfix is doing on lower level (happen to me multiple times during writing check policy service scripts). To do this, edit master.cf file and add option -v
to smtp line so it will looks like this:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd -v
After saving this file, restart postfix service. Try to send few emails to your mail server and check your Postfix log file. It will be much bigger than usual and it will be growing fast.
When you finish your investigation, remove added -v
from smtp line.
This ofcouse is optional, but if you for example use Fail2ban software, you can help in AbuseIPDB Project by configuring Fail2ban to report IPs that show the malicious signs. This will benefit you and all of us using this project.