Skip to content

feat: add Postfix slow brute-force and HELO rejection scenarios#1695

Open
Etilem wants to merge 3 commits intocrowdsecurity:masterfrom
Etilem:feat/postfix-slow-bf
Open

feat: add Postfix slow brute-force and HELO rejection scenarios#1695
Etilem wants to merge 3 commits intocrowdsecurity:masterfrom
Etilem:feat/postfix-slow-bf

Conversation

@Etilem
Copy link
Copy Markdown
Contributor

@Etilem Etilem commented Feb 21, 2026
edited
Loading

Summary

Add slow brute-force detection scenarios for Postfix SMTP authentication (port 25 and port 587) and evasive HELO rejection attacks.
Extends the existing crowdsecurity/postfix-logs parser for submission port auth failures that are invisible to standard parsers.

Developed and tested on a production mail server handling 17 domains, where these scenarios detected persistent evasive attacks that standard Postfix scenarios missed entirely.

Problem

Standard CrowdSec Postfix detection has two major gaps:

  1. Slow SASL brute-force on port 25: crowdsecurity/postfix-bf has a short detection window. Attackers spacing attempts 15+ minutes apart evade it completely.

  2. Port 587 (submission) auth failures are invisible: When using STARTTLS on port 587, Postfix does NOT log explicit "SASL authentication failed" messages. Auth failures only appear as auth=0/N in disconnect summary lines — no standard parser extracts this information.

  3. Slow HELO rejection attacks: crowdsecurity/postfix-helo-rejected has a ~10 minute window. Evasive spammers sending invalid HELO commands ~70 minutes apart go undetected.

Scenarios

Scenario Leakspeed Capacity Window Use Case
melite/postfix-slow-bf 900s 7 2h Distributed SASL attacks (port 25)
melite/postfix-very-slow-bf 4h 5 24h Evasive SASL attacks (port 25)
melite/postfix-submission-very-slow-bf 4h 5 24h Evasive attacks on port 587
melite/postfix-helo-very-slow 4h 5 24h Evasive invalid HELO spammers

The first two scenarios include _user-enum variants (using distinct on sasl_username).

Parser change

crowdsecurity/postfix-logs (s01-parse): Extended with a new grok pattern that extracts auth=0/N from Postfix disconnect lines. Tags matching lines with log_type_enh: submission-auth-failed.

Example log that was previously invisible:
postfix/submission/smtpd[1234]: disconnect from unknown[IP] ehlo=1 auth=0/1 quit=1 commands=2/3

Note: Following reviewer feedback, this extends the existing crowdsecurity/postfix-logs parser instead of adding a separate parser.

Testing

cscli hubtest run postfix-slow-bf --save-results
cscli hubtest run postfix-very-slow-bf --save-results
cscli hubtest run postfix-submission-very-slow-bf --save-results
cscli hubtest run postfix-helo-very-slow --save-results
cscli hubtest run postfix-submission-auth --save-results

Dependencies

- crowdsecurity/syslog-logs
- crowdsecurity/postfix-logs
- crowdsecurity/dateparse-enrich

@Etilem Etilem force-pushed the feat/postfix-slow-bf branch from 8dabf51 to 11bd514 Compare February 22, 2026 02:06
@sabban
Copy link
Copy Markdown
Contributor

sabban commented Mar 2, 2026

Hi,
Your PR redefines a postfix parser that can parse slightly different logs than the already existing one. Can you improve the original to understand the logs you want to parse and use it in this PR?

Thanks for your contribution!

Étienne LEMÉE and others added 2 commits March 27, 2026 07:44
@Etilem
feat: add Postfix slow brute-force and HELO rejection scenarios (melite)
4909527 
Add slow brute-force detection scenarios for Postfix SMTP authentication
and evasive HELO rejection attacks:
- melite/postfix-slow-bf (leakspeed 900s, capacity 7)
- melite/postfix-very-slow-bf (leakspeed 4h, capacity 5)
- melite/postfix-submission-very-slow-bf (leakspeed 4h, capacity 5)
- melite/postfix-helo-very-slow (leakspeed 4h, capacity 5)

Includes parser melite/postfix-submission-auth (s01-parse) for port 587
auth failures invisible to standard parsers, and hub tests.
@Etilem
refactor: extend crowdsecurity/postfix-logs instead of custom parser
5e1ed83 
Address reviewer feedback: add disconnect auth failure detection
directly to crowdsecurity/postfix-logs instead of a separate
melite/postfix-submission-auth parser.

 - Add grok node for 'disconnect from ... auth=0/N' pattern
 - Remove melite/postfix-submission-auth parser and markdown
 - Update test configs to reference modified parser
 - Rewrite parser assertions for new pipeline structure

   All 5 hubtest tests pass (parser + 4 scenarios).
@Etilem Etilem force-pushed the feat/postfix-slow-bf branch from 11bd514 to 5e1ed83 Compare March 27, 2026 07:25
@Etilem
docs: update submission scenario to reference crowdsecurity/postfix-logs
1a0f909 
Remove stale reference to deleted melite/postfix-submission-auth parser.
The submission auth pattern is now part of crowdsecurity/postfix-logs.
@Etilem
Copy link
Copy Markdown
Contributor Author

Etilem commented Mar 27, 2026

Hi @sabban, thanks for the feedback !

I've removed the custom melite/postfix-submission-auth parser and extended crowdsecurity/postfix-logs instead.

The new grok pattern extracts auth=0/N from Postfix disconnect lines and tags them with log_type_enh : submission-auth-failed.

Changes in commits 5e1ed83 and 1a0f909.

The submission scenarios now reference crowdsecurity/postfix-logs as their dependency.

Let me know if anything else needs adjusting !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Etilem @sabban