I recently noticed that my fail2ban settings were no longer triggering on postfix.
I'd advise anyone who uses fail2ban to check their filter configuration (e.g. /etc/fail2ban/filter.d/postfix.conf) and to run it through fail2ban-regex with some example log lines that are required be blocked. The main problems I found were that fail2ban _daemon setting was not able to pick up postfix/submission/smtpd or postfix/postscreen log lines. Also in filters like the following: NOQUEUE: reject: RCPT from \S+\[<HOST>\]:\d+: 550 5\.7\.1 Service unavailable; client \[\d+\.\d+\.\d+\.\d+\] blocked using the \S+ was not matching because I don't see a hostname before the [ip address] in my logs. Jun 15 00:21:59 server01 postfix/postscreen[2134]: NOQUEUE: reject: RCPT from [114.24.2.181]:4289: 550 5.7.1 Service unavailable; client [114.24.2.181] blocked using zen.spamhaus.org; from=<z200...@yahoo.com.tw>, to=<gk49f...@yahoo.com.tw>, proto=SMTP, helo=<80.237.194.71> Not sure if the hostname is always absent in such message or only sometimes. I did find a hostname string (albeit UNKNOWN) in: Jun 14 09:14:22 server01 postfix/submission/smtpd[24605]: lost connection after UNKNOWN from unknown[27.114.168.168]
