Here is preliminary configuration I've got from another user (Jeroen Vermeulen) some time ago for postfix:
[Postfix]
enabled = true
logfile = /var/log/mail.info
fwstart =
fwend =
fwcheck =
fwban = /sbin/iptables -I fail2ban-postfix 1 -s <ip> -j DROP
fwunban = /sbin/iptables -D fail2ban-postfix -s <ip> -j DROP
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = reject: (?:RCPT|VRFY) from [a-zA-Z.0-9-]*.(?P<host>[0-9.]*).:
(?:.*Relay access denied|554 Service unavailable; Client host \S* blocked
using|(?:Sender|Recipient) address rejected)
can you give a try and provide your comments -- if that works fine I
would like to include it in shipped debian config
> also sprach Jefferson Cowart <[EMAIL PROTECTED]> [2006.07.10.2148 +0200]:
> > Jul 10 12:39:03 P450 postfix/smtpd[17863]: NOQUEUE: reject: RCPT from
> > mail.servemail.com.br[201.40.235.2]: 550 <[EMAIL PROTECTED]>:
> > Recipient address rejected: User unknown in local recipient table;
> > from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP
> > helo=<mail.servemail.com.br>
> Not a bad idea; some thoughts: make sure you include the 5xx in the
> regexp to ensure that clients that legitimately come back don't get
> banned.
Didn't get it -- why ligitimate users will have "Recepient address
rejected" but will not have 5xx code?
> Also, I'd propose to make any such rules for mail match
> a high number in a small period of time, like say 5 log entries in
> 15 seconds.
any advantage over 5 failures in 5 minutes? to don't ban ligitimate
users abusing the mail server? ;-) I don't think mail server will retry
on "unknown recepient" error from the server, or am I wrong?
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
pgpKuv0K2bddr.pgp
Description: PGP signature
