fail2ban Postfix tuning...

Discussion in 'Server Operation' started by SamTzu, Jul 1, 2017.

  1. SamTzu

    SamTzu Member HowtoForge Supporter

    I'm getting a lot of connection errors in logs from certain hosts like this:
    Code:
    Jul  1 14:53:46 www postfix/smtpd[5589]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <i@go4.fi>: Relay access denied; from=<bounce@1edut.com> to=<i@go4.fi> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:47 www postfix/smtpd[27726]: warning: hostname thanatos.ocalhost.de does not resolve to address 188.138.123.183
    Jul  1 14:53:47 www postfix/smtpd[27726]: connect from unknown[188.138.123.183]
    Jul  1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <bounce@1edut.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<bounce@1edut.com> to=<i@go4.fi> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <bounce@1edut.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<bounce@1edut.com> to=<i@go4.fi> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:47 www postfix/smtpd[27726]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <i@go4.fi>: Relay access denied; from=<bounce@1edut.com> to=<i@go4.fi> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <bounce@1edut.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<bounce@1edut.com> to=<i@go4.fi> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: filter: RCPT from unknown[188.138.123.183]: <bounce@1edut.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10024; from=<bounce@1edut.com> to=<i@go4.fi> proto=ESMTP helo=<mta2.1edut.com>
    Jul  1 14:53:48 www postfix/smtpd[27726]: NOQUEUE: reject: RCPT from unknown[188.138.123.183]: 454 4.7.1 <i@go4.fi>: Relay access denied; from=<bounce@1edut.com> to=<i@go4.fi> proto=ESMTP helo=<mta2.1edut.com>
    
    Does any1 know how to get fail2ban to block those?
    I tried to add "RCPT from unknown" to /etc/fail2ban/filter.d/postfix.conf that did not help.

    Code:
    failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
    #            ^%(__prefix_line)sNOQUEUE: filter: RCPT from unknown \S+\[<HOST>\]: .*$
                ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
                ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
                ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
    
     

Share This Page