Thanks Ilia for your concern …
FirewallD is not creating the banned IP list. Fail2Ban detects the attackers, but they are not blocked.
Status
|- Number of jail: 6
`- Jail list: dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth
fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Running tests
=============
Use failregex filter file : postfix, basedir: /etc/fail2ban
Use datepattern : {^LN-BEG} : Default Detectors
Use log file : /var/log/mail.log
Use encoding : UTF-8
Results
=======
Prefregex: 59 total
| ^(?:[])?\s*(?:<[^.]+.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?[ *\d+.\d+]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:[\d+])?:\s+[[(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:(\S+))?[])]?:?|[[(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:(\S+))?[])]?:?(?:[\d+])?:?)\s+)?(?:[ID \d+ \S+]\s+)?(?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) (?P.+)$
`-
Failregex: 59 total
|- #) [# of hits] regular expression
| 1) [26] ^RCPT from [^[]*[](?::\d+)?: 55[04] 5.7.1\s
| 5) [24] ^(RCPT|VRFY) from [^[]*[](?::\d+)?: 550 5.1.1\s
| 7) [9] ^from [^[]*[](?::\d+)?:?
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [187723] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:.Microseconds)?(?: ExYear)?
`-
Lines: 187723 lines, 0 ignored, 59 matched, 187664 missed
[processed in 8.45 sec]
In my opinion I have 59 attackers matching the jail. But I can see in the mail.log that the attack continues and that the firewallD rules list remains empty.
The mail.log is like this:
Oct 19 15:32:55 host03 postfix/smtpd[124656]: warning: unknown[5.34.207.68]: SASL LOGIN authentication failed: authentication failure
the jail definition is out of the box like this:
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
strangely there is no action line predefined.
the filter action jail is:
postfix[mode=auth] on log %(postfix_log)s
Log might be wrong an should point to mail.log instead.
I have a VPS ready we can play around, if you like to.