Fail2ban postfix host not found rule

Discussion in 'Server Operation' started by lano, Sep 5, 2019.

  1. lano

    lano Member

    ISPC3, Buster, perfect setup.
    I have a problem with one of the IP hammering my server every second or less.
    Sep  5 14:39:13 panda postfix/smtpd[20373]: NOQUEUE: reject: RCPT from unknown[]: 450 4.7.1 <Edco-Edge.edco.local>: Helo command rejected: Host not found; from=<> to=<[email protected]_of_my_client> proto=ESMTP helo=<Edco-Edge.edco.local>
    I would like to set up Fail2ban to block these attacks. I tried several rules, regxp and so on, but no success (from examples from Google search).
    Does anybody have suggestion, how to do it properly? :)
  2. Steini86

    Steini86 Active Member

    You have to give more information to help you.

    The general approach is:
    1. Enable postfix (or postfix-sasl) in fail2ban in file /etc/fail2ban/jail.local
    2. Add or adjust your rule to /etc/fail2ban/filter.d/postfix.conf (or postfix-sasl.conf
    3. Restart fail2ban
    4. Watch your success: watch -d -n 10 fail2ban-client status postfix

    You can test your regex online with some tools like:
  3. lano

    lano Member

    Thanks, it's working now. If anyone has the same problem, here is how it's done:

    /etc/fail2ban/jail.local, added:
    enabled  = true
    port     = smtp,ssmtp,submission
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 50
    /etc/fail2ban/filter.d/postfix.conf added:
    failregex = <mdre-<mode>>
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
                ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
                ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 454 4\.7\.1\.*
    till likes this.

Share This Page