Home > computers > mail > postfix > fail2banpostfix | About
Home > computers > linux > fail2ban > fail2banpostfix | About

Add these rules to /etc/fail2ban/filters.d/postfix.conf

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

In fail2ban logs you will get warnings about an IP that is already banned, this is fine since one IP can connect just one time to postfix and send an multiple emails to multiple recipients, so there's really just one connexion to the server but in the postfix logs the filter will see many failed attempts to deliver mail, so it will try the ban the IP multiple times.

2016-04-06 09:43:21,677 fail2ban.actions: WARNING [postfix] Ban 187.84.68.228
2016-04-06 09:43:23,759 fail2ban.actions: WARNING [postfix] 187.84.68.228 already banned
2016-04-06 09:43:27,764 fail2ban.actions: WARNING [postfix] 187.84.68.228 already banned
2016-04-06 09:43:34,774 fail2ban.actions: WARNING [postfix] 187.84.68.228 already banned
2016-04-06 09:43:42,785 fail2ban.actions: WARNING [postfix] 187.84.68.228 already banned
2016-04-06 09:43:47,792 fail2ban.actions: WARNING [postfix] 187.84.68.228 already banned
2016-04-06 09:44:25,840 fail2ban.actions: WARNING [postfix] Ban 222.45.113.17
2016-04-06 09:44:28,915 fail2ban.actions: WARNING [postfix] 222.45.113.17 already banned
2016-04-06 09:44:42,933 fail2ban.actions: WARNING [postfix] Ban 179.107.68.99
2016-04-06 09:44:47,012 fail2ban.actions: WARNING [postfix] 179.107.68.99 already banned
2016-04-06 09:53:14,641 fail2ban.actions: WARNING [postfix] Ban 103.2.83.10

As you can see the attacks can be very frequent, this filter may help reducing them.


contact : @ychaouche yacinechaouche at yahoocom


QR Code
QR Code fail2banpostfix (generated for current page)