Skip to content

Instantly share code, notes, and snippets.

@solariz
Created March 27, 2019 19:51
Show Gist options
  • Save solariz/33f84bd464a524202103e6d6b6fb2e61 to your computer and use it in GitHub Desktop.
Save solariz/33f84bd464a524202103e6d6b6fb2e61 to your computer and use it in GitHub Desktop.
Fail2Ban filter for postfix authentication failures, SASL Strict
# Fail2Ban filter for postfix authentication failures
# more strict version of SASL Filter
# EXAMPLE:
# Mar 27 20:16:40 cc postfix/smtpd[959]: warning: unknown[123.123.123.123]: SASL PLAIN authentication failed:
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:?(\s?[A-Za-z0-9+/:]*={0,4})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
# +Marco Goetze (Fix more accurate for postfix 3.1 )
@solariz
Copy link
Author

solariz commented Mar 27, 2019

Before (original filter):
Lines: 126338 lines, 0 ignored, 1692 matched, 124646 missed [processed in 5.17 sec]

After (new filter):
Lines: 126338 lines, 0 ignored, 8578 matched, 117760 missed [processed in 5.13 sec]

@stan23
Copy link

stan23 commented Mar 9, 2022

postfix/(submission/)?smtp(d|s) does not catch these kind of logs:
Mar 9 07:48:30 vps2053415 postfix/smtps/smtpd[7271]: warning: unknown[212.70.149.72]: SASL LOGIN authentication failed: authentication failure

I simply changed it to _daemon = postfix(/smtp(d|s)){1,2} while dropping the optional submission port, but I bet there is a nicer and cleaner variant.

@solariz
Copy link
Author

solariz commented Mar 30, 2022

Should be fine with e.g. _daemon = (?:postfix/smtp(d|s){1,2}|postfix/submission/smtp(d|s){1,2})

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment