1# Fail2Ban filter for selected Postfix SMTP rejections 2# 3# 4 5[INCLUDES] 6 7# Read common prefixes. If any customizations available -- read them from 8# common.local 9before = common.conf 10 11[Definition] 12 13_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? 14_port = (?::\d+)? 15 16prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$ 17 18mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) 19mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s 20 ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) 21 ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b 22 ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b 23 ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s 24 ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b 25 ^from [^[]*\[<HOST>\]%(_port)s:? 26 27mdpr-auth = warning: 28mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) 29mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server) 30# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297). 31 32# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only: 33mdpr-rbl = %(mdpr-normal)s 34mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b 35 36# Mode "rbl" currently included in mode "normal" (within 1st rule) 37mdpr-more = %(mdpr-normal)s 38mdre-more = %(mdre-normal)s 39 40mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))) 41mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:? 42 43mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) 44mdre-extra = %(mdre-auth)s 45 %(mdre-normal)s 46 47mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) 48mdre-aggressive = %(mdre-auth2)s 49 %(mdre-normal)s 50 51mdpr-errors = too many errors after \S+ 52mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ 53 54 55failregex = <mdre-<mode>> 56 57# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) 58# Usage example (for jail.local): 59# [postfix] 60# mode = aggressive 61# 62# # or another jail (rewrite filter parameters of jail): 63# [postfix-rbl] 64# filter = postfix[mode=rbl] 65# 66# # jail to match "too many errors", related postconf `smtpd_hard_error_limit`: 67# # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message) 68# [postfix-many-errors] 69# filter = postfix[mode=errors] 70# maxretry = 1 71# 72mode = more 73 74ignoreregex = 75 76[Init] 77 78journalmatch = _SYSTEMD_UNIT=postfix.service 79 80# Author: Cyril Jaquier 81