Fighting SPAM with postfix and fail2ban

After detecting spammers with an RBL list you can block them for a predefined period of time with the help of fail2ban. How does it work:
– fail2ban parses mail.log
– when a spammer IP is found it is added to a temporary list
– future requests from the spammer’s IP is blocked

  1. Check smtpd_recipient_restrictions  in /etc/postfix/main.cf
    smtpd_recipient_restrictions = permit_mynetworks,
                              permit_sasl_authenticated,
                              reject_unauth_destination,
                              reject_rhsbl_helo dbl.spamhaus.org,
                              reject_rhsbl_reverse_client dbl.spamhaus.org,
                              reject_rhsbl_sender dbl.spamhaus.org,
                              reject_rbl_client zen.spamhaus.org,
                              reject_rbl_client b.barracudacentral.org,
                              reject_rbl_client bl.spamcop.net,
                              reject_rbl_client cbl.abuseat.org,
                              reject_rbl_client psbl.surriel.com,
                              reject_rbl_client ubl.unsubscore.com,
                              reject_rbl_client bl.nosolicitado.org,
                              check_policy_service unix:private/policy-spf
  2. Double-check that you are NOT using google DNS (aka 8.8.8.8)
  3. Add to  /etc/fail2ban/jail.local
    [postfix-rbl2]
    enabled = true
    maxretry = 2
    bantime = 3600
    filter = postfix-rbl2
    logpath = /var/log/mail.log
    
  4. Create /etc/fail2ban/
    # Fail2Ban filter for Postfix's RBL based Blocked hosts
    #
    #
    
    [INCLUDES]
    
    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf
    
    [Definition]
    
    _daemon = postfix/smtpd
    
    failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
    
    ignoreregex =
    
    # Author: Lee Clemens
    # Mod: Milan Enev
  5. Restart fail2ban and test config
    #service fail2ban restart
    fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-rbl2.conf  -v

    Similar readings:
    Adaptive DDOS IDS firewall

One thought on “Fighting SPAM with postfix and fail2ban”

Leave a Reply

Your email address will not be published. Required fields are marked *