> > BTW, I can't crack it for the moment.
>> OK so this isn't going to be quite so neat. You need to add a line:
>>
>> ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error;
>>
>> to the mdre-normal section. Generally the recommended way is to create a
>> postfix.local file, but this would need to contain:
>>
>
> This got mangled by gmail, but I was able to copy the postfix.conf to
> postfix.local and make it somewhat resemble what you pasted, and it appears
> to work.
>
Actually, it works with fail2ban-regex but isn't catching them from the
live logs.
Here's what I have in my jail.conf:
[postfix]
filter = postfix
maxretry = 1
bantime = 48h
enabled = true
mode = normal
I've also attached my whole postfix.conf here, just in case.
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?
_pref = [A-Z]{4}
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
exre-user = |[Uu](?:ser unknown|ndeliverable address)
mdpr-normal = (?:\w+: (?:milter-)?reject:|(?:improper command pipelining|too
many errors) after \S+)
mdre-normal=^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45][50][04]
[45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient)
address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data
command) rejected|Relay access denied|(?:Host|Domain) not found|need
fully-qualified hostname|match%(exre-user)s)\b
^from [^[]*\[<HOST>\]%(_port)s:?
^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error;
mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost
to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost
to authentication server)
mdpr-rbl = %(mdpr-normal)s
mdre-rbl = ^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service
unavailable; Client host \[\S+\] blocked\b
mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s
mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?:
\S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND
(?:TIME|COUNT|LENGTH) LIMIT)
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
%(mdre-normal)s
mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
%(mdre-normal)s
mdpr-errors = too many errors after \S+
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$
mdpr-proto = Protocol error;
mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$
failregex = <mdre-<mode>>
mode = normal
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
