After upgrading to SME 9.2 I was getting about 1000 "Failed Authentication" connections to qpsmtpd daily according to
holck's mailstats.pl script - emails denied by qpsmtpd's "auth_cvm" plugin.
After a bit less than a month I installed
Fail2ban , which reduced the count from 1000 per day to a bit over 100 per day.
Oddly, Fail2ban was showing lots of repeated 'Found' entries within seconds of each other in blocks of 8, 9 or more - despite having "MaxRetry" set at 3. The qpsmtpd logs showed up to 11 auth_cvm failures per second from these hosts.
Digging into this, I found that the offending IPs had all been flagged as 'naughty' by the helo plugin -- meaning that the connection was destined to fail, but would be allowed to attempt authentication first, in case it was a valid user connecting from an offending network.
In my case (2 users on my home SME), I felt that I didn't need to let failed helo hosts try to login.
I have done this:
1) Create a custom template fragment for the helo plugin that uses 'HeloReject' from the qpsmtpd settings instead of the literal 'naughty'
**mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "helo policy { \$qpsmtpd{HeloPolicy} || 'lenient' } reject { \$qpsmtpd{HeloReject} || 'naughty' }" > 15helo
2) set 'HeloReject' to '1' to reject offending hosts during connection and 'HeloPolicy' to 'rfc' to catch offending hosts that would not be caught by 'lenient' ("helo User" was quite common, which passes the plugin's 'lenient' checks but fails the 'rfc' checks)
config setprop qpsmtpd HeloReject '1'
config setprop qpsmtpd HeloPolicy 'rfc'
3) activate the changes
signal-event email-update
4) prepared myself to deal with any difficulties my
wife users encounter
sSince making this change (~ 24 hours ago) I have not had any new auth_cvm failures in the qpsmtpd logs.
To remove:
rm -f /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/15helo
config delprop qpsmtpd HeloPolicy
config delprop qpsmtpd HeloReject
signal-event email-update
** here's what
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/15helo should look like when you're done:
helo policy { $qpsmtpd{HeloPolicy} || 'lenient' } reject { $qpsmtpd{HeloReject} || 'naughty' }