fail2ban Postfix tuning...

Discussion in 'Server Operation' started by SamTzu, Jul 1, 2017.

  1. SamTzu

    SamTzu Member HowtoForge Supporter

    I'm getting a lot of connection errors in logs from certain hosts like this:
    Code:
    Jul  1 14:53:46 www postfix/smtpd[5589]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:47 www postfix/smtpd[27726]: warning: hostname thanatos.ocalhost.de does not resolve to address 188.138.123.183
    Jul  1 14:53:47 www postfix/smtpd[27726]: connect from unknown[188.138.123.183]
    Jul  1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mta2.1edut.com>
    
    Does any1 know how to get fail2ban to block those?
    I tried to add "RCPT from unknown" to /etc/fail2ban/filter.d/postfix.conf that did not help.

    Code:
    failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
    #            ^%(__prefix_line)sNOQUEUE: filter: RCPT from unknown \S+\[<HOST>\]: .*$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
                ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
                ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
    
     
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    Code:
    ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 <\S*>: Relay access denied;.*$
    
    
    should do the trick
     

Share This Page