>Postcreen logs DISCONNECT for clients that PASS the "after 220 greeting"
>tests (bare newline, non-SMTP command, pipelining).
Exactly what I was afraid of, thanks for the confirmation.
>I don't think there is much to gain from parsing postscreen logging to
produce
>fail2ban rules. postscreen is designed to handle a lot of abuse with
near-zero
>resources.
I understand and that's great. But it would be nice to prevent at least
some of connections and their ongoing log entries. Without getting out of
my comfort zone in solutions like Robert's and Allen's.
Alas (and for search posterity in case someone else tries the filter I
posted), I don't think the first line of my posted filter (copied from
someone else) is reliable after thinking about it some more. Just because I
get a "listed by domain" log line, that won't mean the overall score was
above the threshold and going to fail necessarily. So it's out.
failregex = ^%(__prefix_line)saddr <HOST> listed by domain .* as .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from
(.*)\[<HOST>\]:([0-9]{4,5}:)? 550.*$
The second line (cleaned up and anchored) should be worthy counter I think
as it's a solid 550 reject.
Re this log line:
>Jul 17 14:23:36 tn3 postfix/postscreen[21915]: DNSBL rank 3 for
[46.102.230.94]:63564
Maybe it would be safe to filter on this line where the "DNSBL rank [n]" was
>= my threshold:
Assuming a threshold of 3, max less than 20, match with:
failregex = ^%(__prefix_line)sDNSBL rank (([3-9]|1[09])) for \[<HOST>\]:.*$
I realize this is a little OT but the postfix question is:
Lines like the sample log lines like above, whose rank is at or above my
threshold, should represent a connection that's going to fail postscreen and
be dropped, right?
Won't pick all of them up, but will at least look at some of them.
Would be cool to have a log entry on overall postscreen pass (including
after 220) or fail. That would be easy to watch.
