# [solved] fail2ban for postfix-sasl

## Elleni

I activated said jail, by creating postfix-sasl.conf in jail.d with following entry

```
[postfix-sasl]

enabled  = true
```

but preconfigured seems not to catch anything. 

fail2ban-client status postfix-sasl

```
Status for the jail: postfix-sasl

|- Filter

|  |- Currently failed:   0

|  |- Total failed:   0

|  `- File list:   /var/log/mail.log

`- Actions

   |- Currently banned:   0

   |- Total banned:   0

   `- Banned IP list:
```

I am missing postfix-sasl in filter.d folder anyway, but I thought, ok maybe one is supposed to go with postfix one nowadays. 

But testing gives: 

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

```

Running tests

=============

Use   failregex filter file : postfix, basedir: /etc/fail2ban

Use      datepattern : Default Detectors

Use         log file : /var/log/mail.log

Use         encoding : UTF-8

Results

=======

Failregex: 1 total

|-  #) [# of hits] regular expression

|   1) [1] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s

`-

Ignoreregex: 0 total

Date template hits:

|- [# of hits] date format

|  [2805] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?

`-

Lines: 2805 lines, 0 ignored, 1 matched, 2804 missed

[processed in 0.26 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 2804 lines
```

So what am I missing?

cat /var/log/mail.log|grep "SASL LOGIN authentication failed" gives plenty of the following

```

Nov 26 03:54:04 hostname postfix/smtpd[25848]: warning: unknown[193.56.28.213]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
```

Last edited by Elleni on Wed Nov 27, 2019 10:42 pm; edited 1 time in total

----------

## freke

I'm using 4 jails for my mailserver;

postfix-auth, postfix, dovecot and sasl

Can't remember if I edited any of the filters really - but I don't think so.

I currently have:

~1000 banned via dovecot-filter

7 via postfix

7 via postfix-auth

16 via sasl

I'm doing harsh banning on my dovecot-filter, it's a personal server, so if anyone tries to login with a failed password it's a ban after 1st attempt.

my jail.local

```
[DEFAULT]

ignoreip = 10.0.0.0/23 2001:470:28:4a6:f5db:7b20:83a1:e2a9 2001:470:28:4a6:20d:b9ff:fe4a:e000

backend  = pyinotify

[postfix-auth]

enabled  = true

bantime  = 1d

filter   = postfix.auth

action   = iptables-allports[name=postfix, protocol=tcp]

logpath  = /var/log/messages

maxretry = 2

findtime = 2h

[postfix]

enabled  = true

bantime  = 1d

filter   = postfix

action   = iptables-allports[name=postfix, protocol=tcp]

logpath  = /var/log/messages

maxretry = 2

findtime = 2h

[dovecot]

enabled  = true

bantime  = 7d

filter   = dovecot

action   = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]

logpath  = /var/log/messages

maxretry = 1

findtime = 1h

[sasl]

enabled  = true

bantime  = 1d

filter   = sasl

action   = iptables-allports[name=sasl, protocol=tcp]

logpath  = /var/log/messages

maxretry = 2

findtime = 2h
```

```
mail /etc/fail2ban # fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/dovecot.conf

Running tests

=============

Use   failregex filter file : dovecot, basedir: /etc/fail2ban

Use      datepattern : Default Detectors

Use         log file : /var/log/messages

Use         encoding : UTF-8

Results

=======

Failregex: 566 total

|-  #) [# of hits] regular expression

|   2) [566] ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$

`-

Ignoreregex: 0 total

Date template hits:

|- [# of hits] date format

|  [27884] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?

`-

Lines: 27884 lines, 0 ignored, 566 matched, 27318 missed

[processed in 23.99 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 27318 lines
```

I get 566 matches on my current log (rotated 3 days ago)

----------

## Elleni

I thought, it might have to do with my syslog-ng which I shortly tried to configure to get separate mails. So I deleted syslog-ng.conf reverted back and retried with default syslog-ng.conf and guess what, postfix-sasl started to do its job  :Smile: 

```
fail2ban-client status postfix-sasl

Status for the jail: postfix-sasl

|- Filter

|  |- Currently failed:   0

|  |- Total failed:   0

|  `- File list:   /var/log/messages

`- Actions

   |- Currently banned:   2

   |- Total banned:   2

   `- Banned IP list:   178.128.148.84 193.56.28.213
```

So I will wait and see if more IPs will be trapped in this jail and slowly I'll experiment with more jails. 

Thanks for sharing your configuration as example.

----------

