Hi. I noticed so many messages on my server like this: warning: unknown[37.139.128.9]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 I've searching the way to block these logins trough fail2ban and I've found that I should modify the file located at /etc/fail2ban/filter.d/postfix-sasl.conf but it doesn't exist. If I do a "fail2ban-client status", I get : - Number of jail: 4 Jail list: dovecot, postfix-sasl, pure-ftpd, sshd If I do a "fail2ban-client status postfix-sasl", I get : Status for the jail: postfix-sasl |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: In my jail.local file I've this: [postfix-sasl] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3 Then, following this old post https://forum.howtoforge.com/threads/fail2ban-postfix-sasl-does-not-exist.83720/ I believe I've to create the postfix-sasl.conf and add the code posted there, and modify jail.local and modify the line filter = postfix to filter = postfix[mode=auth]. This is correct??? Thanks!
You will see this on any public mailserver in the logs, these are stupid bots that try to authenticate but improper. "UGFzc3dvcmQ6" is BASE64 and translates to "Password:". In a default ISPConfig 3 installation the jail.local postfix-sasl part reads: Code: [postfix-sasl] enabled = true port = smtp filter = postfix[mode=auth] logpath = /var/log/mail.log maxretry = 3 This seems fine to me.
Hi! I've no made any change in my jail.local file but if you check my post there's a difference at line filter = postfix. I haven't [mode=auth]. I need to add this? I've to create postfix-sasl.conf file?? Thanks.
Put only Code: [postfix-sasl] enabled = true in jail.local. Then it gets the rest from the distribution provided settings.
Hi. If I erase from port line to maxretry and only leave enabled = true, then after restarting fail2ban and doing fali2ban-client status postfix-sasl I recieve this: |- Filter | |- Currently failed: 1 | |- Total failed: 1 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: Then I believe leaving only this line isn't the solution. I repeat: I've to create postfix-sasl.conf file??
The postfix-sasl.conf comes with fail2ban distribution. If your fail2ban is missing that file, then you have to create it or re-install fail2ban to get all the files. Code: root@posti:/etc/fail2ban# ls -lh filter.d/postfix-sasl.conf -rw-r--r-- 1 root root 482 maalis 17 2021 filter.d/postfix-sasl.conf root@posti:/etc/fail2ban# Code: root@posti:/etc/fail2ban# cat filter.d/postfix-sasl.conf # Fail2Ban filter for postfix authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$ ignoreregex = authentication failed: Connection lost to authentication server$ [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Yaroslav Halchenko
