Hi Doug, Here's how I configured my fail2ban
> 1. I get hit with small floods of "Sender address rejected: Domain not found" > from the same sender. You can add this in filter.d/postfix.conf if you don't already have it (should be there on recent debian systems) failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$ It will ban any IP that is attempting to send an e-mail to a mailbox that doesn't exist, and this includes non existant mailboxes in your own domain (typical mailboxes are info, sales, webmaster etc.) > 2. People attempting to actually auth against smtpd with a username and > password Change this in jail.local [sasl] enabled = true port = smtp filter = sasl action = shorewall logpath = /var/log/mail.warn maxretry = 3 findtime = 600 Other configuration : I replaced syslog with mail.log, which is more specific, for both postfix and dovecot. [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log [dovecot] enabled = true port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log > 3. Spam floods, mostly from Chinese addresses, with the "lost connection > after AUTH from unknown" dance. I don't know about this one, I also don't consider "lost connection after AUTH from unknown" to be a sign of an attack. I have a fair amount of these lines coming from my own machines too. There might be something wrong somewhere -and I should investigate and fix it when I have time-, but not necessarily an attack. -- Yassine. On Sunday, March 19, 2017 7:03 PM, Doug <domain_name_t...@yahoo.com> wrote: My next step for my mail system revamp is to add fail2ban. I've read up on how to configure it for Postfix and I think I'm up to speed. I have a few things which I have ideas about configuring for, so if anyone has experiences with these, or warnings against using them, I would appreciate the feedback. Doug
