fail2ban postfix config question...

Discussion in 'Installation/Configuration' started by BorderAmigos, May 12, 2010.

  1. BorderAmigos

    BorderAmigos New Member

    I recently moved a domain that I mainly used for email from a shared server to my own server. I didn't have great log access on the shared server. Now on my server I see there are non-stop brute force attempts to log in to and relay off of the email on this domain. I set up the following in fail2ban to try and discourage them. A new IP is banned every minute or two all day and night. Most are using similarly formed but non-existent email addresses to try to log in. Seems obviously to be a bot network with thousands of IP addresses available to it.

    The question is if any of the following fail2ban configurations are banning legitimate emails?

    In /etc/fail2ban/jail.local
    Code:
    [postfix]
    enabled  = true
    port	 = smtp,ssmtp
    filter   = postfix
    logpath  = /var/log/mail/mail.info
    bantime  = 86400
    maxretry = 1
    
    [postfix-warnings]
    enabled  = true
    port	 = smtp,ssmtp
    filter   = postfix-warnings
    logpath  = /var/log/mail/mail.warn
    bantime  = 86400
    maxretry = 1
    
    /etc/fail2ban/conf.d/postfix.conf
    Code:
    [Definition]
    failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
                reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
                reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
    ignoreregex = 
    
    /etc/fail2ban/conf.d/postfix-warnings.conf
    Code:
    [Definition]
    failregex = warning: <HOST>(.*)address not listed for hostname.*
                warning: <HOST>(.*)verification failed\: Name or service not known.*
    ignoreregex = 
    
    Thanks in advance for any insight.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    I think that maxretry = 1 is a little bit low - I'd set it to 3 or so.
     

Share This Page