For whatever reason, the default distributed postfix filter I had on my fail2ban setup on ubuntu was not triggering on:
450 4.1.1 Receipient address rejected: unverified address: unknown user
mail.log errors. The failregex line was in there for it, but it wasn’t hitting on the endless dictionary attack random attempts from spammer servers across the world. This was annoying because, in looking through the mail.logs, I saw hours and hours, days and days of the same servers just trying to send to crazy email addresses perhaps hoping to get a hit. This needed to stop.
I changed one of the failregex entries in /etc/fail2ban/filters.d/postfix from the line that was not working to this:
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4.1.1 .* Recipient address rejected: unverified address: unknown user:.*$It’s not fancy and leaves a lot of space on the wildcards but it immediately killed those incoming attacking servers cycling through thousands of bogus generated email addresses.
If you are looking to stop this type of activity with your Postfix setup, try a variant of the above in the filter and test via:
fail2ban-regex -v /var/log/mail.log /etc/fail2ban/filters.d/postfix
and see if that catches more fish on the filter after you make the changes. Also, restarting fail2ban jails when you have ~40k or so entries in them can take forever, so selective reloading of jails is a better way to go when changing filters or configs. This is off Ubuntu.
# sudo fail2ban-client reload postfix
Let it cycle through all the unbans and rebans and will take quite a while, but nothing like the eternity of a reboot or restart of all jails.
You said you replaced the regex with the line above.
but you didn’t state which regex and since 2019, not sure if they changed postfix.conf.
Thanks
Wayne,
I still have my stuff running and will check mine against what I am running later today.