Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Fail2Ban filter for postfix authentication failures, SASL Strict
# Fail2Ban filter for postfix authentication failures
# more strict version of SASL Filter
# EXAMPLE:
# Mar 27 20:16:40 cc postfix/smtpd[959]: warning: unknown[123.123.123.123]: SASL PLAIN authentication failed:
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:?(\s?[A-Za-z0-9+/:]*={0,4})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
# +Marco Goetze (Fix more accurate for postfix 3.1 )
@solariz

This comment has been minimized.

Copy link
Owner Author

commented Mar 27, 2019

Before (original filter):
Lines: 126338 lines, 0 ignored, 1692 matched, 124646 missed [processed in 5.17 sec]

After (new filter):
Lines: 126338 lines, 0 ignored, 8578 matched, 117760 missed [processed in 5.13 sec]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.