Hi Doug,

Here's how I configured my fail2ban 

> 1. I get hit with small floods of "Sender address rejected: Domain not found" 
> from the same sender.

You can add this in filter.d/postfix.conf if you don't already have it (should 
be there on recent debian systems)

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 
5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo 
command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$

It will ban any IP that is attempting to send an e-mail to a mailbox that 
doesn't exist, and this includes non existant mailboxes in your own domain 
(typical mailboxes are info, sales, webmaster etc.)

> 2. People attempting to actually auth against smtpd with a username and 
> password

Change this in jail.local 

enabled  = true
port     = smtp
filter   = sasl
action   = shorewall
logpath  = /var/log/mail.warn
maxretry = 3
findtime = 600

Other configuration : 

I replaced syslog with mail.log, which is more specific, for both postfix and 


enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log


enabled = true
port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

> 3. Spam floods, mostly from Chinese addresses, with the "lost connection 
> after AUTH from unknown" dance. 

I don't know about this one, I also don't consider "lost connection after AUTH 
from unknown" to be a sign of an attack. I have a fair amount of these lines 
coming from my own machines too. There might be something wrong somewhere -and 
I should investigate and fix it when I have time-, but not necessarily an 

  -- Yassine.

On Sunday, March 19, 2017 7:03 PM, Doug <domain_name_t...@yahoo.com> wrote:

My next step for my mail system revamp is to add fail2ban. I've read up on how 
to configure it for Postfix and I think I'm up to speed. I have a few things 
which I have ideas about configuring for, so if anyone has experiences with 
these, or warnings against using them, I would appreciate the feedback. 


Reply via email to