Skip to content

Instantly share code, notes, and snippets.

Created May 18, 2016 22:52
Show Gist options
  • Save pida42/58c8254475757394a055c85c9ed0ce8a to your computer and use it in GitHub Desktop.
Save pida42/58c8254475757394a055c85c9ed0ce8a to your computer and use it in GitHub Desktop.
Fail2Ban - SMTP fiters that helps me resolve attacked mail server with Postfix and Dovecot
## content of: /etc/fail2ban/jail.local
enabled = true
logpath = /var/log/mail.log
filter = mail-smtp
maxretry = 1
action = iptables-multiport[name=mail-smtp, port="25,587", protocol=tcp]
## content of: /etc/fail2ban/filter.d/mail-smtp.conf
# May 15 07:19:07 mail postfix/smtpd[10583]: warning: unknown[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
# May 18 12:53:45 mail postfix/smtpd[10926]: warning: address not listed for hostname
# May 15 06:26:01 mail postfix/smtp[29807]: B79961A8C29F: ***, relay=none, delay=0.02, delays=0.01/0/0.01/0, dsn=4.4.1, status=deferred (connect to ***.******.**[***.***.***.***]:25: Connection refused)
# May 15 06:26:34 mail postfix/smtp[30395]: 403CB1A8C751: *** status=deferred (host ******[***.***.***.***] said: 454 4.7.1 ***: Relay access denied (in reply to RCPT TO command))
# May 18 23:09:50 mail postfix/smtp[5844]: 808EB1A8C2B7: lost connection with[] while sending RCPT TO
# May 18 23:53:16 mail postfix/error[32147]: 6E6431A8C2CE: to=<> *** status=deferred (delivery temporarily suspended: connect to[]:25: Connection timed out)
# May 14 23:26:50 mail postfix/smtpd[31643]: warning: non-SMTP command from unknown[]: From: sftjh@*******
failregex = warning: (?:.*\[<HOST>\]\:.*) SASL (PLAIN|LOGIN) authentication failed: .*$
warning: <HOST>: address not listed for hostname .*$
status=deferred \(connect to (?:.*\[<HOST>\]\:.*)(?:\d.\:.*) Connection refused\)$
status=deferred \(host (?:.*\[<HOST>\] said\:.*\:) Relay access denied \(.*RCPT TO.*\)\)$
lost connection with (?:.*\[<HOST>\].*) while sending RCPT TO$
status=deferred \(delivery temporarily suspended\: connect to (?:.*\[<HOST>\]\:.*)(?:\d.\:.*) Connection timed out\)$
warning: non-SMTP command from (?:.*\[<HOST>\]\:.*) From: .*$
ignoreregex =
Copy link

pida42 commented Oct 23, 2020

thanks for sharing, this worked so much better than the other crap i'd tried before. after years(!) finally it does what it should.

You are welcome...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment