If you have a huge amount of entries like Code: 118028 Oct 5 13:48:19 host postfix/smtpd[12048]: NOQUEUE: reject: RCPT from mail.olestage.dk[81.19.abc.xyz]: 450 4.7.1 <exch01.olestage.local>: Helo command rejected: Host not found; from=<> to=<Larisaotf@somelocaldomain> proto=ESMTP helo=<exch01.olestage.local> in your mail.info and wonder why fail2ban doesn't ban them... it's because the rule is not made for host not found having actual data in it. There are improved rulesets for version 0.10/0.11 though. Also this might save you some requests / volume on RBL services which usually permit a limited free usage. create a custom file /etc/fail2ban/filter.d/postfix-hnf.conf Code: # Fail2Ban filter for selected Postfix SMTP rejections # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 <\S*>: Helo command rejected: Host not found;.*$ ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname; ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$ # Author: Cyril Jaquier which is basically a copy of the debian shipped version except improved Host-Not-Found rule Add this to your /etc/fail2ban/jail.local Code: [postfix-hnf] enabled = true port = smtp filter = postfix-hnf logpath = /var/log/mail.log maxretry = 2 bantime = 10800 [postfix-rbl] enabled = true port = smtp filter = postfix-rbl logpath = /var/log/mail.log maxretry = 2 bantime = 10800 you might want to adjust bantime, default is pretty low 600 gently reload fail2ban Code: service fail2ban reload and check your logfile for growing bans and reduced DNS lookups from your server Code: tail -f /var/log/fail2ban.log
to get rid of Relay access denied spamming Code: ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 <\S*>: Relay access denied;.*$