Hi, I can't seem to get the postfix jail work in fail2ban. sshd and recidive work fine. Here's my config Code: /etc/fail2ban/jail.local [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 3 bantime = 3600 The filter is the original from Ubuntu Code: /etc/fail2ban/filter.d/postfix.conf # Fail2Ban filter for selected Postfix SMTP rejections # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? _port = (?::\d+)? _pref = [A-Z]{4} prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$ # Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this: exre-user = |[Uu](?:ser unknown|ndeliverable address) mdpr-normal = (?:\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \S+) mdre-normal=^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data command) rejected|Relay access denied|(?:Host|Domain) not found|need fully-qualified hostname|match%(exre-user)s)\b ^from [^[]*\[<HOST>\]%(_port)s:? mdpr-auth = warning: mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server) # todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297). # Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only: mdpr-rbl = %(mdpr-normal)s mdre-rbl = ^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b # Mode "rbl" currently included in mode "normal" (within 1st rule) mdpr-more = %(mdpr-normal)s mdre-more = %(mdre-normal)s # Includes some of the log messages described in # <http://www.postfix.org/POSTSCREEN_README.html>. mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT) mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:? mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) mdre-extra = %(mdre-auth)s %(mdre-normal)s mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) mdre-aggressive = %(mdre-auth2)s %(mdre-normal)s mdpr-errors = too many errors after \S+ mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ failregex = <mdre-<mode>> # Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) # Usage example (for jail.local): # [postfix] # mode = aggressive # # # or another jail (rewrite filter parameters of jail): # [postfix-rbl] # filter = postfix[mode=rbl] # # # jail to match "too many errors", related postconf `smtpd_hard_error_limit`: # # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message) # [postfix-many-errors] # filter = postfix[mode=errors] # maxretry = 1 # mode = more ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Cyril Jaquier My mail log has authentication failed messages about every 30 seconds Code: 2025-03-20T15:23:43.142299+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ralph@domain.tld 2025-03-20T15:24:13.159379+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ramon@domain.tld 2025-03-20T15:24:43.468233+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=randy@domain.tld 2025-03-20T15:25:14.362771+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=raquel@domain.tld 2025-03-20T15:25:45.393180+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=raul@domain.tld 2025-03-20T15:26:18.494925+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ray@domain.tld 2025-03-20T15:26:50.104172+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rayman@domain.tld 2025-03-20T15:27:16.070106+00:00 mail postfix/smtpd[3064189]: warning: unknown[194.0.234.11]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=fax@domain.tld 2025-03-20T15:27:23.076484+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=raymond@domain.tld 2025-03-20T15:27:54.486966+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=reagan@domain.tld 2025-03-20T15:28:26.377843+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rebecca@domain.tld 2025-03-20T15:28:58.460629+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=records@domain.tld 2025-03-20T15:29:25.095773+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=reed@domain.tld 2025-03-20T15:29:59.094099+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ricardo@domain.tld 2025-03-20T15:30:32.256719+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=richard@domain.tld 2025-03-20T15:31:02.458496+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ricky@domain.tld 2025-03-20T15:31:32.481669+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=riley@domain.tld 2025-03-20T15:32:00.071539+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=robbie@domain.tld 2025-03-20T15:32:32.154448+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=roberto@domain.tld 2025-03-20T15:33:06.500713+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=roberts@domain.tld 2025-03-20T15:33:37.040642+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=robin@domain.tld 2025-03-20T15:34:08.429929+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rodney@domain.tld 2025-03-20T15:34:39.015037+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=roger@domain.tld 2025-03-20T15:35:11.377150+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=roman@domain.tld 2025-03-20T15:35:42.356346+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=romeo@domain.tld 2025-03-20T15:36:13.337390+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ronald@domain.tld 2025-03-20T15:36:44.414333+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ronaldo@domain.tld 2025-03-20T15:37:15.358014+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ronnie@domain.tld 2025-03-20T15:37:46.350823+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=roob@domain.tld 2025-03-20T15:38:16.121219+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=root2@domain.tld 2025-03-20T15:38:48.480710+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rosa@domain.tld 2025-03-20T15:39:10.422178+00:00 mail postfix/smtpd[3064187]: warning: unknown[194.0.234.11]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=info1@domain.tld 2025-03-20T15:39:19.345780+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rosalie@domain.tld 2025-03-20T15:39:47.344916+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rose@domain.tld 2025-03-20T15:40:19.487482+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rosemarie@domain.tld 2025-03-20T15:40:50.457370+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rosemary@domain.tld 2025-03-20T15:41:23.358780+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rosie@domain.tld 2025-03-20T15:41:51.334574+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ross@domain.tld 2025-03-20T15:42:22.079239+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rossi@domain.tld 2025-03-20T15:42:54.221657+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=roy@domain.tld 2025-03-20T15:43:24.375709+00:00 mail postfix/smtpd[3064209]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=ruby@domain.tld 2025-03-20T15:44:00.341328+00:00 mail postfix/smtpd[3064187]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rudolf@domain.tld 2025-03-20T15:44:31.454384+00:00 mail postfix/smtpd[3064189]: warning: unknown[193.46.255.184]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=rudy@domain.tld When I test the regex in the filter I get a lot of matches Code: fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf Running tests ============= Use failregex filter file : postfix, basedir: /etc/fail2ban Use datepattern : {^LN-BEG} : Default Detectors Use log file : /var/log/mail.log Use encoding : UTF-8 Results ======= Prefregex: 122 total | ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \S+) (?P<content>.+)$ `- Failregex: 122 total |- #) [# of hits] regular expression | 1) [4] ^[A-Z]{4} from [^[]*\[<HOST>\](?::\d+)?: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data command) rejected|Relay access denied|(?:Host|Domain) not found|need fully-qualified hostname|match|[Uu](?:ser unknown|ndeliverable address))\b | 2) [118] ^from [^[]*\[<HOST>\](?::\d+)?:? `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [42904] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? `- Lines: 42904 lines, 0 ignored, 122 matched, 42782 missed [processed in 3.86 sec] Missed line(s): too many to print. Use --print-all-missed to print all 42782 lines Code: fail2ban-client status postfix Status for the jail: postfix |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=postfix.service `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: What am I overlooking?
I would try with only Code: [postfix] enabled = true in /etc/fail2ban/jail.local for the postfix-jail. Have you examined the Fail2Ban tutorial, link in my signature.
