Aggressive mode combines:
This ensures that Fail2ban bans malicious hosts more effectively.
The issue occurs because:
mdre-auth2) might not match your log format.Check your /var/log/mail.log for lines related to SASL authentication failures. For example:
Jan 1 12:34:56 mail postfix/smtpd[12345]: warning: unknown[192.168.100.1]: SASL LOGIN authentication
failed: authentication failure
Update regex:
mdre-auth2 = ^[^[]*\<HOST>\?\s*: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: .*
Conform to a single pattern:
mdre-aggressive = ^[^[]*\<HOST>\?\s*: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: .*|^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data command) rejected|Relay access denied|(?:Host|Domain) not found|need fully-qualified hostname|match|user unknown)\b
make sure its reflecting the combined pattern:
failregex[mode=aggressive] = %(mdre-aggressive)s
run:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
Check for SMTP rejections and SASL auth failures to be "MATCHED"
File path `/etc/fail2ban/jail.local
[postfix]
enabled = true
port = smtp,ssmtp,smtps,submission
filter = postfix[mode=aggressive]
logpath = /var/log/mail.log
maxretry = 3
bantime = 48h
action = iptables-multiport[name=postfix, port="smtp,ssmtp,smtps,submission", protocol=tcp]
run:
sudo systemctl restart fail2ban
run:
sudo fail2ban-client status postfix