Thanks Thuban and Peter for your tips. Unfortunately I am running Linux and not OpenBSD with OpenSMTPD v6.0.2p1 and in the "event=failed-command" log entries I don't have the "address=" part as you can see here from a sample entry:
Jun 17 15:18:18 gw smtpd[594]: 7eeee04bdc38046e smtp event=failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported" -------- Original Message -------- Subject: Re: Fail2Ban filter for OpenSMTPD Local Time: June 17, 2017 2:40 PM UTC Time: June 17, 2017 12:40 PM From: [email protected] To: [email protected] * mabi le [17-06-2017 05:57:19 -0400]: > Hi there, > > Does anyone have a fail2ban filter for OpenSMTPD? > > I would like to block the many many AUTH LOGIN attempts as you can see here from the logs: > > Jun 17 11:55:49 gw smtpd[594]: 7eeebcc95623efe1 smtp event=failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported" > Jun 17 11:55:52 gw smtpd[594]: 7eeebcc95623efe1 smtp event=closed reason="io-error: Connection reset by peer" > Hi, I use a hand-made tool [1] that check logs (like fail2ban does). The relevant regex for smtpd is : .* event=failed-command address=([\S]+) .* [1] : https://framagit.org/Thuban/vilain -- :thuban
