I run my own email server, and a friend received a compromised laptop from work which resulted in a spam attack from Russia yesterday. Turtle settings saved the days with thousands of emails still in the queue when I saw the problem, however it made me realize that everyone with accounts on my server are local, do not travel, and have no requirement to send emails from outside the country.

I found how to use the smtpd_discard_ehlo_keyword_address_maps setting in postfix to block a CIDR list of IPs, then found a maintained list of IPs by country codes on github. Cool so far, and a script to keep my local list updated was easy enough.

Now the question is, what countries should I be blocking? There are plenty of lists of the top hacking sources, but it’s hard to block #2 (the US) when that’s where I am located. But otherwise, does anyone have a list of countries they outright block from logging on to their servers? From the above google searches I have 17 countries blocked so far, and in the first 30 minutes already stopped login attempts from three of those countries, so it appears to be working.

Of course I could write a script to parse my logs to see who has already made attempts, but that’s what services like fail2ban are for, and I’m just wondering if there are any countries in particular I should directly block? My list so far includes the following: ae bg br cn de hk id in ir iq il kp ng ru sa th vn

The question itself may not be that interesting, but I thought at the very least some folks might be interested in my experience and think about doing something similar themselves. I can post more details of what I did if there is any interest.

  • sf1tzp@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Oof yeah. You’re well into admin territory here.

    I mean I’m just some layman on the internet, but I would look at tying in some authentication layer to get your 2FA, although it would inconvenience your users users.

    Do your users use this service for srs business?

    I don’t know if I have anything else to add to this discussion. It’s gotten more complex than what “just an email server” can provide imo

    • ShdwdrgnOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      No worries and thanks for the comments. I’ll figure out something, I always do, I just thought it would be nice to see what route others have taken with their own servers. I’m really annoyed but it seems like more people are just turning their email over to big corporations. Hell the place I work turned their email over to Microsoft and we’ve had nothing but non-stop spam, phishing attacks, outages, and the constant push of “oh if you’re not going to use a Microsoft product (on my linux machine) then we’re won’t even talk to you” in the years since then, and literally everybody in my department complains about it.

      • sf1tzp@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        I’ll figure out something, I always do, I just thought it would be nice to see what route others have taken with their own servers.

        Yeah for sure. Sorry I don’t have a good answer

        turned their email over to Microsoft and we’ve had nothing but non-stop spam, phishing attacks, outages, and the constant push of "oh if you’re not going to use a Microsoft product.

        Just wanna share that my experience does not mirror this. I pay them $6/ user per month (which is just me, for me personally, to be fair), which gets me that hosted exchange server 365 thing. I only rarely, if ever, need to use the other office products, and I do so in my browser. In the 2ish years so far I’ve had no complaints. I don’t require any of the features that are locked behind full-installation variants of their products - and besides that I’ve had no problem with spam email especially.

        Im not sure I would recommend that you tell your friends to authenticate with your own Active directory instance necessarily, but ultimately at the end of the day if you’re dealing with users you’ll need some kind of authentication layer (imo)