Hi, I can't seem to get the postfix jail work in fail2ban. sshd and recidive work fine. Here's my config Code: /etc/fail2ban/jail.local [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 3 bantime = 3600 The filter is the original from Ubuntu Code: /etc/fail2ban/filter.d/postfix.conf # Fail2Ban filter for selected Postfix SMTP rejections # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? _port = (?::\d+)? _pref = [A-Z]{4} prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$ # Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this: exre-user = |[Uu](?:ser unknown|ndeliverable address) mdpr-normal = (?:\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \S+) mdre-normal=^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data command) rejected|Relay access denied|(?:Host|Domain) not found|need fully-qualified hostname|match%(exre-user)s)\b ^from [^[]*\[<HOST>\]%(_port)s:? mdpr-auth = warning: mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server) # todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297). # Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only: mdpr-rbl = %(mdpr-normal)s mdre-rbl = ^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b # Mode "rbl" currently included in mode "normal" (within 1st rule) mdpr-more = %(mdpr-normal)s mdre-more = %(mdre-normal)s # Includes some of the log messages described in # <http://www.postfix.org/POSTSCREEN_README.html>. mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT) mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:? mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) mdre-extra = %(mdre-auth)s %(mdre-normal)s mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) mdre-aggressive = %(mdre-auth2)s %(mdre-normal)s mdpr-errors = too many errors after \S+ mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ failregex = <mdre-<mode>> # Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) # Usage example (for jail.local): # [postfix] # mode = aggressive # # # or another jail (rewrite filter parameters of jail): # [postfix-rbl] # filter = postfix[mode=rbl] # # # jail to match "too many errors", related postconf `smtpd_hard_error_limit`: # # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message) # [postfix-many-errors] # filter = postfix[mode=errors] # maxretry = 1 # mode = more ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Cyril Jaquier My mail log has authentication failed messages about every 30 seconds Code: 2025-03-20T15:23:43.142299+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:24:13.159379+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:24:43.468233+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:25:14.362771+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:25:45.393180+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:26:18.494925+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:26:50.104172+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:27:16.070106+00:00 mail postfix/smtpd[3064189]: warning: unknown[194.0.234.11]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:27:23.076484+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:27:54.486966+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:28:26.377843+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:28:58.460629+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:29:25.095773+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:29:59.094099+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:30:32.256719+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:31:02.458496+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:31:32.481669+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:32:00.071539+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:32:32.154448+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:33:06.500713+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:33:37.040642+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:34:08.429929+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:34:39.015037+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:35:11.377150+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:35:42.356346+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:36:13.337390+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:36:44.414333+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:37:15.358014+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:37:46.350823+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:38:16.121219+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:38:48.480710+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:39:10.422178+00:00 mail postfix/smtpd[3064187]: warning: unknown[194.0.234.11]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:39:19.345780+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:39:47.344916+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:40:19.487482+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:40:50.457370+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:41:23.358780+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:41:51.334574+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:42:22.079239+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:42:54.221657+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:43:24.375709+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:44:00.341328+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] 2025-03-20T15:44:31.454384+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), [email protected] When I test the regex in the filter I get a lot of matches Code: fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf Running tests ============= Use failregex filter file : postfix, basedir: /etc/fail2ban Use datepattern : {^LN-BEG} : Default Detectors Use log file : /var/log/mail.log Use encoding : UTF-8 Results ======= Prefregex: 122 total | ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \S+) (?P<content>.+)$ `- Failregex: 122 total |- #) [# of hits] regular expression | 1) [4] ^[A-Z]{4} from [^[]*\[<HOST>\](?::\d+)?: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data command) rejected|Relay access denied|(?:Host|Domain) not found|need fully-qualified hostname|match|[Uu](?:ser unknown|ndeliverable address))\b | 2) [118] ^from [^[]*\[<HOST>\](?::\d+)?:? `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [42904] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 42904 lines, 0 ignored, 122 matched, 42782 missed [processed in 3.86 sec] Missed line(s): too many to print. Use --print-all-missed to print all 42782 lines Code: fail2ban-client status postfix Status for the jail: postfix |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=postfix.service `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: What am I overlooking?
I would try with only Code: [postfix] enabled = true in /etc/fail2ban/jail.local for the postfix-jail. Have you examined the Fail2Ban tutorial, link in my signature.
For future reference, In your postfix filter the mode is set to more. You need to set it to aggressive or extra to include auth: Code: mode = aggressive
