HI guys, i am using ubuntu 20.04 and the perfect server with ispconfig. i the syslog i get the following entry: Code: Apr 18 20:05:20 mx1 postfix/smtpd[1364646]: connect from unknown[5.34.207.107] Apr 18 20:05:21 mx1 postfix/smtpd[1364772]: warning: unknown[5.34.207.107]: SASL LOGIN authentication failed: Connection lost to authentication server i would like fail2ban block the ip that use too many connections like the example above. so i set an entry in /etc/fail2ban/jail.local Code: [postfix-sasl] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [sendmail] enabled = true port = smtp,ssmtp filter = sendmail logpath = /var/log/mail.log bantime = 28800 action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] maxretry = 3 however the ip is not blocked. Did i miss something or how could i find a better solution? thanks a lot for your kind help
The postfix-sasl jail likely matches the sasl login failure, but not anything based on the number of connections. The sendmail jail I would expect to match lines logged by sendmail, which is not running. In a quick look (at a debian machine, not ubuntu) I don't see any filter that matches 'connect from ....' lines, so you may have to create one. Alternatively if you set postfix connection limits lower you would probably get a different log message when the limit is exceeded, which might have a matching filter already (I don't know the exact message logged offhand, but it's easy to setup a test to find out).
