Restart fail2ban with supervisorctl restart fail2ban
Reload postfix supervisorctl restart postfix
Check what is still in the cache postmap -s btree:/var/lib/postfix/postscreen_cache
nano /etc/postfix/main.cf
# Enable postscreen
postscreen_greet_banner = $myhostname ESMTP - Access denied
# Enable DNSBL checks
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spamcop.net*1
postscreen_dnsbl_threshold = 3
# Timeouts and cache
postscreen_dnsbl_ttl = 1h
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
# Enable postscreen
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031
nano /etc/postfix/dnsbl_reply
zen.spamhaus.org 550 5.7.1 Access denied, listed in zen.spamhaus.org
bl.spamcop.net 550 5.7.1 Access denied, listed in Spamcop
b.barracudacentral.org 550 5.7.1 Access denied, listed in Barracuda
nano /etc/fail2ban/filter.d/postscreen.conf
[Definition]
failregex = ^.*postfix/postscreen\[\d+\]: DNSBL rank \d+ for \[<HOST>\]:\d+
^.*postfix/postscreen\[\d+\]: DISCONNECT \[<HOST>\]:\d+
ignoreregex =
nano /etc/fail2ban/jail.local
[postscreen]
enabled = true
filter = postscreen
action = iptables[name=Postscreen, port=smtp, protocol=tcp]
logpath = /var/log/mail.log
maxretry = 1
findtime = 600
bantime = 3600
restart fail2ban supervisorctl restart fail2ban
check what IPs in mail.log were detected in Spanhaus grep -i "spamhaus" /var/log/mail.log
check which IPs are banned based on postcreen DNSBL filter (reading Spamhaus in mail.log)
fail2ban-client status postscreen
check if the regex catches something in the mail.log
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/your-filter.conf
fail2ban-client reload
fail2ban-client status show sall jails
postscreen_greet_banner = $myhostname ESMTP - Access denied
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spamcop.net*1
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031
## 2) Add a reply map that is used in mail.cf
`nano /etc/postfix/dnsbl_reply`
zen.spamhaus.org 550 5.7.1 Access denied, listed in zen.spamhaus.org
bl.spamcop.net 550 5.7.1 Access denied, listed in Spamcop
b.barracudacentral.org 550 5.7.1 Access denied, listed in Barracuda
## 3) Create a filter
`nano /etc/fail2ban/filter.d/postscreen.conf`
[Definition]
failregex = ^.*postfix/postscreen[\d+]: DNSBL rank \d+ for []:\d+
^.*postfix/postscreen[\d+]: DISCONNECT []:\d+
ignoreregex =
#### failregex will catch:
- DNSBL rank detections.
- DISCONNECT events tied to IPs.
***
## 4) Create a a jail for Postscreen
`nano /etc/fail2ban/jail.local
`
[postscreen]
enabled = true
filter = postscreen
action = iptables[name=Postscreen, port=smtp, protocol=tcp]
logpath = /var/log/mail.log
maxretry = 1
findtime = 600
bantime = 3600
### restart and check
- restart fail2ban `supervisorctl restart fail2ban`
- check what IPs in mail.log were detected in Spanhaus `grep -i "spamhaus" /var/log/mail.log`
- check which IPs are banned based on postcreen DNSBL filter (reading Spamhaus in mail.log)
`fail2ban-client status postscreen`
- check if the regex catches something in the mail.log
`fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/your-filter.conf
`
`fail2ban-client reload`
`fail2ban-client status` show sall jails