Block Failed Postfix Login Attempts with CSF

TL;DR

This guide shows you how to use ConfigServer Security & Firewall (CSF) to automatically block IP addresses that repeatedly fail to authenticate when trying to log in to your Postfix mail server. This helps protect against brute-force attacks.

Prerequisites

• You have a working Postfix mail server.
• You have CSF installed and running on your server. If not, follow the official CSF installation guide.
• You have root access to your server.

Steps

1. Identify Failed Authentication Logs

   Postfix typically logs failed authentication attempts in its mail log file. The location varies depending on your distribution, but common locations include:

   • /var/log/mail.log
   • /var/log/maillog
   • /var/log/syslog

   Use grep to find the relevant log entries. For example:

   grep "Failed password for" /var/log/mail.log

2. Configure CSF to Monitor Postfix Logs

   Edit the CSF configuration file, /etc/csf/csf.conf.

   Find the line starting with LOGFILE = and ensure it includes your mail log file. If not, add it:

   LOGFILE = /var/log/mail.log /var/log/maillog /var/log/syslog

3. Enable Postfix Login Failure Detection

   Edit the csf.conf file again.

   Find the section related to login failure detection (usually near the bottom). Uncomment and configure these options:

   • LOGIN_FAILURE_THRESHOLD = 5: This sets the number of failed attempts before an IP is blocked. Adjust this value as needed.
   • LOGIN_LOCKDOWN_TIME = 600: This sets how long (in seconds) an IP address will be locked down for after exceeding the threshold.
   • LOGIN_FAILURE_LOGFILE = mail.log: This specifies which log file to monitor for login failures. Ensure this matches your actual log filename (without the full path).

   Example configuration:

   LOGIN_FAILURE_THRESHOLD = 5
   LOGIN_LOCKDOWN_TIME = 600
   LOGIN_FAILURE_LOGFILE = mail.log

4. Restart CSF

   Restart CSF to apply the changes:

   csf -r

   Check for errors during restart.

5. Test the Configuration

   Attempt several failed login attempts from a test IP address. After exceeding the LOGIN_FAILURE_THRESHOLD, verify that the IP is blocked by CSF.

   • Use csf -h <test_ip_address> to check if the IP is listed in CSF’s block list.
   • Try connecting from the blocked IP address – it should be refused.
6. Optional: Whitelisting

   If you have static IPs that might occasionally trigger false positives, add them to CSF’s whitelist in /etc/csf/allowlist.conf.