Fail2ban and Postfix

Protect against Postfix AUTH DoS attacks

I’ve noticed a lot of SASL LOGIN authentication failed errors in /var/log/mail.log

TL;DR

Simplest and fastest is to just enable already included jail, the one from jail.conf here

1
2
3
4
5
6
7
8
9


cat << EOF | sudo tee /etc/fail2ban/jail.d/postfix-sasl.local
[postfix-sasl]
enabled  = true
EOF

cat << EOF | sudo tee /etc/fail2ban/jail.d/recidive.local
[recidive]
enabled  = true ; enable jail for repeated bans
EOF

More elaborate is to create a new jail:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


cat << EOF | sudo tee /etc/fail2ban/jail.d/postfix-sasl.local
#
# on comments: only ';' comment starts an inline comment, not the '#' one
#
[postfix-aggressive]
enabled  = true
port     = smtp
filter   = postfix[mode=aggressive]
maxretry = 3 ; default to 5
findtime = 20 minutes ; default to 10m
bantime  = 6 hours ; default to 10m
EOF

I’m not sure why, the following should work, but it doesn’t:

Default working mode is mode=more which combines only standard and RBL blocking. Read about it more inside filter.d/postfix.conf or online

I’ve decided to enable “aggressive” mode to include all available filters.

1
2
3
4
5


cat << EOF | sudo tee /etc/fail2ban/jail.d/postfix.local
# change mode to aggressive; should work but it doesn't
[postfix]
mode = aggressive
EOF

Useful commands

Test if it will catch those errors:

1
2
3


# test some filter rules 
fail2ban-regex /var/log/mail.log 'postfix[mode=more]'
fail2ban-regex /var/log/mail.log 'postfix[mode=aggressive]'

1
2
3
4
5


# to debug
cat << EOF | sudo tee /etc/fail2ban/fail2ban.d/debug.local
[Definition]
loglevel = DEBUG
EOF

You can also use fail2ban-regex to check the filter works for you:

This is valid for versions 0.10 and above (check version with fail2ban-client version). Older versions have different configuration.

Useful commands:

1
2
3
4
5


# reload service
service fail2ban reload

# check banned ip's
fail2ban-client status postfix

About config files

They simply are all processed, in the following order or precedence:

jail.conf
jail.d/*.conf (all files, in alphabetical order)
jail.local
jail.d/*.local (all files, in alphabetical order)

The files are all read in sequence, and any option set in a file overrides the same option (same section, same name) in the previous ones.

More ideas:

If needed, you can block whole IP ranges: Fail2Ban IP-Range mit Blackliste blocken
Protect Postfix mailserver with fail2ban

date 03. Jun 2020 | modified 13. Feb 2025

filename: Server » Fail2ban