Hi Guys, I have set the mail server as written in the Perfect Setup (multiserver configuration). I have set the fail2ban in this way: /etc/fail2ban/filter.d/dovecot-pop3imap.conf Code: [Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Discon$ ignoreregex = /etc/fail2ban/filter.d/postfix.conf Code: # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 728 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = /etc/fail2ban/filter.d/sasl.conf Code: # Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 728 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = I have received thousand of DEFERRED emails from various IP addresses with different email addresss. I would like to share the SMTP only for the registered user as mentioned in your Perfect Setup Server but I don't understand why it doesn't work as well. thanks
You mix up several things here. Fail2ban is a software to block brute force password attacks e.g. on smtp accounts, deferred emails are no brute password attacks. Thats what your setup is doing at the moment, only users that are logged in with smtp can send emails trough your server. So you are seeking in the wrong direction at the moment. To find out what is really happening you have to explain where you see the deferred emails, are they listed in the mailqueue (please post a excerpt of "postqueue -p") or do you get these emails in a mailbox.
Hi Till, both. I can see some email in the deferred folders in the mail server and other emails in the outlook inbox folder. The emails have a domain like [number].com. Screenshot
If you see these deferred emails just incoming into your server, then someone misuses a email address thats has its mailbox on your server as sender address for spam emails. So its not your server that sends the emails, your server just receives the undelivered messages. In such a case there is not much that you can do against it when the emails are not sent trough your server, it will most likely stop after a day or two. You can verify that by inspecting the headers of the undelivered messages, they should contain the delivery path. If the original server that sent the emails not your server, then it is the scenario that I explained above.
