How should output of fail2ban postfix-sasl look like

Question

I want to be sure that fail2ban is properly banning failed postfix SASL login attempts.

When I do iptables -L I can see list of banned hosts for SSHD, but I can't figure out a way to see banned hosts for SASL.

postfix SASL is enabled, which I can confirm with:

fail2ban-client status
Status
|- Number of jail:  4
`- Jail list:   dovecot, postfix, postfix-sasl, sshd

And I can confirm there are failed login attempts, from mail.log, for example:

Aug 31 22:23:49 host2 postfix/smtpd[35397]: warning: hostname systemip3.example.com does not resolve to address 91.200.12.100
Aug 31 22:23:49 host2 postfix/smtpd[35397]: connect from unknown[91.200.12.100]
Aug 31 22:23:52 host2 postfix/smtpd[35397]: warning: unknown[91.200.12.100]: SASL LOGIN authentication failed: authentication failure
Aug 31 22:23:52 host2 postfix/smtpd[35397]: lost connection after AUTH from unknown[91.200.12.100]
Aug 31 22:23:52 host2 postfix/smtpd[35397]: disconnect from unknown[91.200.12.100] ehlo=1 auth=0/1 commands=1/2

score 2 · Answer 1 · answered Aug 31 '17 at 20:51

Looks like I've found answer to my own question, apparently fail2ban-client status will say that service is enabled, even if there is no filter rule for that particular ban.

The solution was to create postfix-sasl.conf in /etc/fail2ban/filter.d/postfix-sasl.conf With following contents:

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

# Author: Yaroslav Halchenko

and reload configuration with

fail2ban-client reload

Then after a while iptables -L confirms it's working and banning IP's

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination         
REJECT     all  --  systemip8.example.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  systemip8.example.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  12.215.34.226        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

How should output of fail2ban postfix-sasl look like

1 Answers1