Hi all ! i'm coming to you because i've got these repeated attempts on my postfix server: content of auth.log Code: Aug 10 06:18:41 www saslauthd[28671]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Aug 10 06:18:43 www saslauthd[28671]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Aug 10 06:18:43 www saslauthd[28671]: do_auth : auth failure: [user=changeseachtime] [service=smtp] [realm=mail.mydomain.com] [mech=pam] [reason=PAM auth error] I've got postfix on debian 8 with cyrus sasl , dkim, dmarc, postgrey, spamassassin. I do not use postscreen, neither clamav and amavis. I use these lines to prevent spamming in main.cf : Code: smtpd_sender_restrictions = reject_unknown_address smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client blackholes.easynet.nl, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 and i do use fail2ban, i've enabled postfix and postfix-sasl regexes in jail.local (copy of jail.conf originial ) but it doesn't block these tentatives, i've also added iptables rules to block auth failures on smtp but it doesn't block as well. I use UFW for the firewall. If i'm correct, the problem is there is no regex for pam ( saslauthd ) authentification in fail2ban. Could someone help me to make a regex for fail2ban ? i've passed a lot of time trying to find a solution, i didn't find anything except an old PAM plugin nammed pam_abl but it's outdated. Postscreen seems to avoid some connections from un-desired people ( blacklists ) but it makes the delivery really long (5-20mn). sorry for my approximative english thanks by advance Joseph
