After detecting spammers with an RBL list you can block them for a predefined period of time with the help of fail2ban. How does it work:
– fail2ban parses mail.log
– when a spammer IP is found it is added to a temporary list
– future requests from the spammer’s IP is blocked
- Check smtpd_recipient_restrictions in /etc/postfix/main.cf
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, reject_rbl_client ubl.unsubscore.com, reject_rbl_client bl.nosolicitado.org, check_policy_service unix:private/policy-spf - Double-check that you are NOT using google DNS (aka 8.8.8.8)
- Add to /etc/fail2ban/jail.local
[postfix-rbl2] enabled = true maxretry = 2 bantime = 3600 filter = postfix-rbl2 logpath = /var/log/mail.log
- Create /etc/fail2ban/
# Fail2Ban filter for Postfix's RBL based Blocked hosts # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ignoreregex = # Author: Lee Clemens # Mod: Milan Enev
- Restart fail2ban and test config
#service fail2ban restart fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-rbl2.conf -v
Similar readings:
Adaptive DDOS IDS firewall
One thought on “Fighting SPAM with postfix and fail2ban”