I recently moved a domain that I mainly used for email from a shared server to my own server. I didn't have great log access on the shared server. Now on my server I see there are non-stop brute force attempts to log in to and relay off of the email on this domain. I set up the following in fail2ban to try and discourage them. A new IP is banned every minute or two all day and night. Most are using similarly formed but non-existent email addresses to try to log in. Seems obviously to be a bot network with thousands of IP addresses available to it. The question is if any of the following fail2ban configurations are banning legitimate emails? In /etc/fail2ban/jail.local Code: [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail/mail.info bantime = 86400 maxretry = 1 [postfix-warnings] enabled = true port = smtp,ssmtp filter = postfix-warnings logpath = /var/log/mail/mail.warn bantime = 86400 maxretry = 1 /etc/fail2ban/conf.d/postfix.conf Code: [Definition] failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 ignoreregex = /etc/fail2ban/conf.d/postfix-warnings.conf Code: [Definition] failregex = warning: <HOST>(.*)address not listed for hostname.* warning: <HOST>(.*)verification failed\: Name or service not known.* ignoreregex = Thanks in advance for any insight.
