Fail2Ban error in Postfix-sasl

Taoiseach · May 4, 2020, 4:14am

Hello @ everyone,

I have just reviewd my logs of Fail2Ban. It loolks like I have an Error in the Postfix-sasl File.

I am getting this error:

Blockquote2020-05-03 23:08:02,379 fail2ban.filter [601]: INFO [postfix-sasl] Found 45.142.195.8 - 2020-05-03 23:08:01
2020-05-03 23:08:30,412 fail2ban.filter [601]: INFO [postfix-sasl] Found 45.142.195.8 - 2020-05-03 23:08:30
2020-05-03 23:08:31,087 fail2ban.actions [601]: NOTICE [postfix-sasl] Ban 45.142.195.8
2020-05-03 23:08:32,396 fail2ban.utils [601]: Level 39 7f7d9c1c77b0 – exec: ipset create f2b-postfix-sasl hash:ip timeout 600
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
2020-05-03 23:08:32,396 fail2ban.utils [601]: ERROR 7f7d9c1c77b0 – stderr: ‘ipset v6.34: Set cannot be created: set with the same name already exists’
2020-05-03 23:08:32,396 fail2ban.utils [601]: ERROR 7f7d9c1c77b0 – stderr: ‘Error: COMMAND_FAILED’
2020-05-03 23:08:32,397 fail2ban.utils [601]: ERROR 7f7d9c1c77b0 – returned 13
2020-05-03 23:08:32,397 fail2ban.actions [601]: ERROR Failed to execute ban jail ‘postfix-sasl’ action ‘firewallcmd-ipset’ info ‘ActionInfo({‘ip’: ‘45.142.195.8’, ‘family’: ‘inet4’, ‘ip-rev’: ‘8.195.142.45.’, ‘ip-host’: None, ‘fid’: ‘45.142.195.8’, ‘failures’: 2, ‘time’: 1588565310.0, ‘matches’: ‘May 3 23:08:01 primary postfix/smtpd[735]: warning: unknown[45.142.195.8]: SASL LOGIN authentication failed: authentication failure\nMay 3 23:08:30 primary postfix/smtpd[735]: warning: unknown[45.142.195.8]: SASL LOGIN authentication failed: authentication failure’, ‘restored’: 0, ‘F-*’: {‘matches’: [(’‘, ‘May 3 23:08:01’, ’ primary postfix/smtpd[735]: warning: unknown[45.142.195.8]: SASL LOGIN authentication failed: authentication failure’), ‘May 3 23:08:30 primary postfix/smtpd[735]: warning: unknown[45.142.195.8]: SASL LOGIN authentication failed: authentication failure’], ‘failures’: 2, ‘ip4’: ‘45.142.195.8’}, ‘ipmatches’: ‘May 3 23:08:01 primary postfix/smtpd[735]: warning: unknown[45.142.195.8]: SASL LOGIN authentication failed: authentication failure\nMay 3 23:08:30 primary postfix/smtpd[735]: warning: unknown[45.142.195.8]: SASL LOGIN authentication failed: authentication failure’, ‘ipjailmatches’: ‘May 3 23:08:01 primary postfix/smtpd[735]: warning: unknown[45.142.195.8]: SASL LOGIN authentication failed: authentication failure\nMay 3 23:08:30 primary postfix/smtpd[735]: warning: unknown[45.142.195.8]: SASL LOGIN authentication failed: authentication failure’, ‘ipfailures’: 2, ‘ipjailfailures’: 2})': Error starting action Jail(‘postfix-sasl’)/firewallcmd-ipset

Can someone help me with that? I am running on Ubuntu 18.04.

Here is my config-File of the Postfix.conf

Taoiseach · May 4, 2020, 4:20am

Fail2Ban filter for selected Postfix SMTP rejections

[INCLUDES]

Read common prefixes. If any customizations available – read them from

common.local

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?

prefregex = ^%(__prefix_line)s<mdpr-> .+$

mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
mdre-normal=^RCPT from [^[][]%(_port)s: 55[04] 5.7.1\s
^RCPT from [^[][]%(_port)s: 45[04] 4.7.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
^RCPT from [^[][]%(_port)s: 450 4.7.1 (<[^>]>)?: Helo command rejected: Host not found\b
^EHLO from [^[][]%(_port)s: 504 5.5.2 (<[^>]>)?: Helo command rejected: need fully-qualified hostname\b
^VRFY from [^[][]%(_port)s: 550 5.1.1\s
^RCPT from [^[][]%(_port)s: 450 4.1.8 (<[^>]>)?: Sender address rejected: Domain not found\b
^from [^[][]%(_port)s:?

mdpr-auth = warning:
mdre-auth = ^[^[][]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[][]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)

todo: check/remove “Invalid authentication mechanism” from ignore list, if gh-1243 will get finished (see gh-1297).

Mode “rbl” currently included in mode “normal”, but if needed for jail “postfix-rbl” only:

mdpr-rbl = %(mdpr-normal)s
mdre-rbl = ^RCPT from [^[]*[]%(_port)s: [45]54 [45].7.1 Service unavailable; Client host [\S+] blocked\b

Mode “rbl” currently included in mode “normal” (within 1st rule)

mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s

mdpr-ddos = lost connection after(?! DATA) [A-Z]+
mdre-ddos = ^from [^[]*[]%(_port)s:?

mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
%(mdre-normal)s

mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
%(mdre-normal)s

failregex = <mdre->

Parameter “mode”: more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)

Usage example (for jail.local):

[postfix]

mode = aggressive

# or another jail (rewrite filter parameters of jail):

[postfix-rbl]

filter = postfix[mode=rbl]

mode = more

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

Author: Cyril Jaquier

system · June 3, 2020, 4:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.