Option to log clients that execute invalid commands or disconnect with no email delivery

[John Fawcett]

I use fail2ban in order to block some types of apparently malicious
connections to postfix when the clients keep retrying. For example the
following fail2ban regexes match cases I currently block by parsing the
maillog.

    reject: RCPT from (.*)\[<HOST>\]: 554
    lost connection after AUTH from (.*)\[<HOST>\]\s*$
    reject: RCPT from (.*)\[<HOST>\]: 550 5.7.1 Client host rejected:
cannot find your reverse hostname
    NOQUEUE: reject: RCPT from (.*)\[<HOST>\]:\d+: 550 5.7.1 Service
unavailable; client \[\d+\.\d+\.\d+\.\d+\] blocked using

One type of connection which I cannot block in fail2ban are clients that
try the AUTH command on port 25, where I have disabled it. I got 245
connections this morning in the space of 5 minutes and those are the
ones that got through despite the connection concurrency limit being hit
277 times. I would prefer just to block them after that first 5 attempts
or so.

Only info I get is following emails to postmaster and connects and
disconnects in the mail log.

Transcript of session follows.

 Out: 220 mail.erba.tv ESMTP Postfix
 In:  EHLO ATTACHE-SERVER
 Out: 250-mail.erba.tv
 Out: 250-PIPELINING
 Out: 250-SIZE 50000000
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  AUTH LOGIN
 Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection

For other details, see the local mail logfile

Logfile
Jun 28 09:04:37 rosalia postfix/postscreen[10170]: CONNECT from
[202.136.109.205]:54626 to [80.237.194.64]:25
Jun 28 09:04:43 rosalia postfix/postscreen[10170]: PASS NEW
[202.136.109.205]:54626
Jun 28 09:04:43 rosalia postfix/smtpd[10175]: connect from
202-136-109-205.static.adam.com.au[202.136.109.205]
Jun 28 09:04:47 rosalia postfix/smtpd[10175]: disconnect from
202-136-109-205.static.adam.com.au[202.136.109.205]

etc

Would it be possible to have an option to log errors. Clearly this is
not appropriate for all cases, since it can DDOS the maillog, but if
turned on only when used in conjunction with fail2ban that would
actually reduce connection load.

One idea would be to make it configurable so it lists invalid commands
to log (like AUTH when it's not allowed), so it could not write
arbitrary strings to the maillog.

An alternative idea would be to log disconnects differently if there was
no email delivery email.

Jun 28 09:04:47 rosalia postfix/smtpd[10175]: disconnect from
202-136-109-205.static.adam.com.au[202.136.109.205] without mail

John