Re: [Fail2ban-users] Fail2ban / postfix

[Richard Mealing]

You could do a few while loops to log these into a file.

cat /var/log/maillog | grep "Junk" | cut -d ">" -f1 | cut -d "<" -f2 | while 
read rubbish ; do grep $rubbish /var/log/maillog ; done | grep postfix | cut -d 
":" -f4 | while read messageid ; do grep $messageid /var/log/maillog ; done | 
grep smtpd > /var/log/somelogfile

I'm not sure if this works, since I don't do filtering on our imap server at 
that point.

Thanks,
Rich

From: Nicolas Repentin [mailto:nico...@shivaserv.fr]
Sent: 15 October 2015 08:22
To: ifett...@netsoft.ro
Cc: fail2ban-users@lists.sourceforge.net
Subject: Re: [Fail2ban-users] Fail2ban / postfix

Hi

This is a good idea :-)

Nicolas Repentin
<nico...@shivaserv.fr<mailto:nico...@shivaserv.fr>>

Le 15 octobre 2015 09:15, Iosif Fettich a écrit:
Hi Nicolas,


I've got a question about a possible regex, maybe someone can help to tell me 
if it is possible.

On a postfix server, fail2ban can block reject connection, or multiples tries.

But, is it possible to make him block the servers which made a junk mail?


For example, on /var/log/maillog, when a server is connected and make a junk, 
we've got the lines:

Oct 14 03:22:37 myserver postfix/smtpd[31362]: connect from 
unknown[31.31.126.189]
Oct 14 03:22:38 myserver postfix/smtpd[31362]: 3A5A9606BB: 
client=unknown[31.31.126.189]
Oct 14 03:22:38 myserver postfix/cleanup[31366]: 3A5A9606BB: 
message-id=<9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com<mailto:9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com>>
Oct 14 03:22:39 myserver postfix/qmgr[2110]: 3A5A9606BB: 
from=<w...@inbox.ru<mailto:w...@inbox.ru>>, size=66836, nrcpt=1 (queue active)
Oct 14 03:22:40 myserver postfix/pipe[31367]: 3A5A9606BB: 
to=<myaddr...@domain.fr<mailto:myaddr...@domain.fr>>, relay=spamassassin, 
delay=2.1, delays=1.2/0.01/0/0.83, dsn=2.0.0, status=sent (delivered via 
spamassassin service)
Oct 14 03:22:40 myserver dovecot: lda(myaddress): sieve: 
msgid=<9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com<mailto:9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com>>:
 stored mail into mailbox 'Junk'
Oct 14 03:22:40 myserver postfix/qmgr[2110]: 3A5A9606BB: removed

Can we make a regex to fail2ban search the IP of server who have generated a 
'Junk' mail, to ban it ?

It's a little tricky because we need to filter all lines with 'Junk', to get 
the name of msgid 
(9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com<mailto:9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com>),
 to get the transaction ID (3A5A9606BB), to get the IP address 
(31.31.126.189)....

If I can find the way to do it, it could block a lot of junk mail before the 
spammer make transactions (and load on the system).

Maybe someone know how to do it?

Maybe other would know better, but I think you have to take a two-step
approach.

1) write a (crontab-based?) script that processes the above log and
creates an extra 'junkers.log' log file, which has the info you neeed
conveniently packed

2) write the regex to deal with your junkers.log file

Just a thought.

Best regards,

Iosif Fettich

------------------------------------------------------------------------------

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users