0

i have a problem that my fail2ban will not ban sasl authentications against my postfix.

This is an example log entry from /var/log/syslog:

Jul 31 13:42:21 v50428 postfix/smtps/smtpd[635398]: warning: xxxx.de[xx.xx.xx.98]: SASL LOGIN authentication failed: authentication failure

This is the Jail-filter "postfix-sasl" in fail2ban:

 [Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$

[INCLUDES]
before = common.conf

[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
ignoreregex =

And this is the Jail:

[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name=postfix-sasl, port="smtp,25,465,submission,imap3,imaps,pop3,pop3s"]
sendmail[dest="alert@xxx.de", sender="info@xxx.de", sendername="Fail2Ban", name="apache"]
logpath = /var/log/syslog
maxretry = 3

These are the both postfix service types which allow sasl-authentication:

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
submission inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
nils50122
  • 21
  • 1
  • 7

1 Answers1

0

I haven't used a postfix-sasl filter, but based on what I see, the problem seems to be caused by the _daemon directive which is wrong (for the log entry you provided), so the failregex won't match anything.

Replace the _daemon directive with the following (taken from fail2ban's current stock postfix filter):

_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?

Also remove the whitespace before the [Definition] section, in case that wasn't a typo upon copy-pasting.

Test the regex if you like:

fail2ban-regex <log-file> /etc/fail2ban/filter.d/postfix-sasl.conf

Reload fail2ban and give it a try.

AndroidX
  • 238
  • 1
  • 6