My postfix instance (Debian 9) is under permanent attack from spammer bots trying to use it as an open relay. I have fai2ban up and running and it works perfectly against SASL attacks, but I cant get it working against the relay attacks. The log entries look like this:
NOQUEUE: reject: RCPT from unknown[173.82.219.107]: 450 4.7.25 Client host rejected: cannot find your hostname, [173.82.219.107]; from=<rainsktrhante@example.com> to=<cb@example.com> proto=ESMTP helo=<example.com>
I have fai2ban active for postfix with this:
[postfix]
enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 3
I edited the regular expression according to the fact that postfix's error message seems to have changed. Basically I changed \.1 to \.\d+:
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
_port = (?::\d+)?
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.\d+ Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.\d+ : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.\d+ <\S+>: Helo command rejected: need fully-qualified hostname;
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.\d+ <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
^%(__prefix_line)sNOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.\d+ .*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Cyril Jaquier
But fail2ban does not recognize the above mentioned attacks. So I used fail2ban-regexto check if the above mentioned regular expressions do apply. I put the above cited line from the logfile twice in an custom filelogtest.log` and did:
fail2ban-regex ~/logtest.log /etc/fail2ban/filter.d/postfix.conf
It seems to me that the regular expressions did work, as I get:
Running tests
=============
Use failregex filter file : postfix, basedir: /etc/fail2ban
Use log file : /root/logtest.log
Use encoding : UTF-8
Results
=======
Failregex: 2 total
|- #) [# of hits] regular expression
| 2) [2] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds](?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds](?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.\d+ Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 2 lines, 0 ignored, 2 matched, 0 missed
[processed in 0.00 sec]
But fail2ban still does not recognize the attacks. What am I doing wrong here?
Best Answer
Try more general configuration to catch more.
Here's an example for fail2ban wiki