Fighting SPAM with postfix and fail2ban

After detecting spammers with an RBL list you can block them for a predefined period of time with the help of fail2ban. How does it work:
– fail2ban parses mail.log
– when a spammer IP is found it is added to a temporary list
– future requests from the spammer’s IP is blocked

1. Check smtpd_recipient_restrictions  in /etc/postfix/main.cf
   
   /etc/postfix/main.cf

   Shell

   smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, reject_rbl_client ubl.unsubscore.com, reject_rbl_client bl.nosolicitado.org, check_policy_service unix:private/policy-spf

   1 2 3 4 5 6 7 8 9 10 11 12 13 14

   smtpd_recipient_restrictions = permit_mynetworks,                           permit_sasl_authenticated,                           reject_unauth_destination,                           reject_rhsbl_helo dbl.spamhaus.org,                           reject_rhsbl_reverse_client dbl.spamhaus.org,                           reject_rhsbl_sender dbl.spamhaus.org,                           reject_rbl_client zen.spamhaus.org,                           reject_rbl_client b.barracudacentral.org,                           reject_rbl_client bl.spamcop.net,                           reject_rbl_client cbl.abuseat.org,                           reject_rbl_client psbl.surriel.com,                           reject_rbl_client ubl.unsubscore.com,                           reject_rbl_client bl.nosolicitado.org,                           check_policy_service unix:private/policy-spf

2. Double-check that you are NOT using google DNS (aka 8.8.8.8)
3. Add to  /etc/fail2ban/jail.local
   
   /etc/fail2ban/jail.local

   [postfix-rbl2] enabled = true maxretry = 2 bantime = 3600 filter = postfix-rbl2 logpath = /var/log/mail.log

   1 2 3 4 5 6

   [postfix-rbl2] enabled = true maxretry = 2 bantime = 3600 filter = postfix-rbl2 logpath = /var/log/mail.log

4. Create /etc/fail2ban/
   
   cat /etc/fail2ban/

   # Fail2Ban filter for Postfix's RBL based Blocked hosts # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ignoreregex = # Author: Lee Clemens # Mod: Milan Enev

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

   # Fail2Ban filter for Postfix's RBL based Blocked hosts # #   [INCLUDES]   # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf   [Definition]   _daemon = postfix/smtpd   failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$   ignoreregex =   # Author: Lee Clemens # Mod: Milan Enev

5. Restart fail2ban and test config
   
   fail2ban-regex

   #service fail2ban restart fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-rbl2.conf -v

   1 2	#service fail2ban restart fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-rbl2.conf  -v

   
   Similar readings:
   Adaptive DDOS IDS firewall