I'm getting a lot of connection errors in logs from certain hosts like this: Code: Jul 1 14:53:46 www postfix/smtpd[5589]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com> Jul 1 14:53:47 www postfix/smtpd[27726]: warning: hostname thanatos.ocalhost.de does not resolve to address 188.138.123.183 Jul 1 14:53:47 www postfix/smtpd[27726]: connect from unknown[188.138.123.183] Jul 1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com> Jul 1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com> Jul 1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com> Jul 1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com> Jul 1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com> Jul 1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com> Does any1 know how to get fail2ban to block those? I tried to add "RCPT from unknown" to /etc/fail2ban/filter.d/postfix.conf that did not help. Code: failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ # ^%(__prefix_line)sNOQUEUE: filter: RCPT from unknown \S+\[<HOST>\]: .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
Code: ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 <\S*>: Relay access denied;.*$ should do the trick