Email spamming can ruin the IP reputation of any server!
But, what can we do to defend against spammers ?
Here, the solution is to block common spamming methods like brute-force password attacks, dictionary attacks, etc.
Fail2ban is a commonly used tool to block brute-force attacks in mail servers like Postfix.
But, configuration errors can cause Fail2ban to let through malicious connections.
That’s why, we help server owners to properly setup Fail2ban as part of our Support Services for Web Hosts.
Today, we’ll see how to setup Fail2ban Postfix SASL configuration and the common failure points.
Why to use Fail2ban for Postfix SASL login failure?
Fail2ban is a software that scans log files and bans IP addresses that do malicious activities. Postfix servers often use Simple Authentication and Security Layer (SASL) as a method for user authentication and data security.
Now, when this authentication fails, the log files at /var/log/mailog will have entries like this :
Aug 31 22:23:52 hostxyz postfix/smtpd[38697]: warning: unknown[192.168.xx.xx]: SASL LOGIN authentication failed: authentication failure
Aug 31 22:23:52 hostxyz postfix/smtpd[38697]: lost connection after AUTH from unknown[192.168.xx.xx]
Luckily, Fail2Ban can reduce the rate of such incorrect authentications attempts. For this, we need to configure Fail2Ban to update firewall rules to reject such IP addresses for a specified amount of time.
In addition to this, Fail2ban allows to create email notification too. And, when there is a possible attack, Fail2ban immediately alerts the server owner via email.
How to setup Fail2ban Postfix SASL configuration
Now, let’s have a look on how we can configure Fail2ban to block SASL login failed attempts in Postfix.
The basic configuration file of Fail2ban is available at /etc/fail2ban/local.conf. However, to make customization we need to use a local config file called /etc/fail2ban/jail.local
To configure Fail2ban for Postfix SASL, our Support Engineers add the following section in the jail.local file.
[sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 5
Additionally, we need to configure Fail2Ban filter for postfix authentication failures in /etc/fail2ban/filter.d/postfix-sasl.conf.
A working postfix-sasl.conf contains the following details:
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
In control panels like Plesk, we can configure Fail2ban for Postfix from the panel itself.
To add a Jail, click on Tools & Settings >> IP address banning >> Jails >> Add Jail.
The graphical interface will look as shown in the picture.
Top failure points in Fail2ban Postfix SASL and fixes
From our experience in managing servers, we often see Fail2ban misbehaving and not blocking the IP addresses. The reasons differ each time.
Now, let’s have a look at these frequent failure points and their fixes.
1. IPs not blocked in firewall
In some servers, although Fali2ban triggers the firewall rules, the IP addresses are not blocked. Here, when we check the Iptables rules, we see all rules added properly.
This happens because Fail2ban rules act on the new connections. So, the existing connections are still able to use the Postfix server. That’s why, our Support Engineers set up firewall rules to rate-limit connections to the mail ports. As a result, we can avoid such attack attempts.
Similarly, we tweak the settings like “smtpdclientconnectionratelimit” in Postfix configuration file to rate-limit the connections.
2. Wrong time zone
Likewise, there was another incident where Fail2ban ran into problems.
On checking manually, everything looked alright. But, the IP addresses were not blocked again.
We further checked and found that the time zone of the mail log file was different than the server timezone. Thus, Fail2ban was not processing the log file correctly.
In order to fix it, our Support Engineers corrected the timezone of the mail log. And, Fail2ban started to work correctly.
3. Customization in wrong file
Again, often Fail2ban Postfix SASL configuration can go wrong, if the server owner make changes in the wrong file.
Recently, in a VPS server, customer reported problems with Fail2ban. On a detailed check, our Support Engineers could not see the modifications in the main file “/etc/fail2ban/local.conf”.
This happened because of a recent update of Fail2ban on the server. As a matter of fact, a fail2ban update will replace all the changes added in “.conf” files.
Here, we replicated all the customization in the /etc/fail2ban/jail.local file and that fixed the problem.
[Running into problems with Fail2ban Postfix SASL configuration? Our Expert engineers can fix it for you.]
Conclusion
Fail2ban comes really handy to avoid incorrect login attempts in Postfix mail servers. It can easily block the fraud IP addresses. Today, we’ve seen the major problems with Fail2ban Postfix SASL configuration and how our Support Engineers fix them.
Thanks for this, helped debug a problematic configuration.
You might also want to make the filter case insensitive:
…SASL (?i:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)…
Although a server will use the forms given, an attacker may use others, ie: ‘Login’, ‘login’, etc.
Glad to know that blog was of help. Thank you for the tip on making filter case insensitive.
In the current (July 2020) iteration of Debian, there is a default postfix.conf file shipped that contains SASL failures plus several others, so it seems only the jail file is needed.
In fact, the jail file only needs to contain [postfix-sasl] and enabled=true. grep postfix /etc/fail2ban -R will show more.
Hello Coenraad,
Thank you for your input.
Just did a fresh installation of Kopano on a fresh Ubuntu 20.04. Everything is stock, including Fail2ban.
I had to configure Fail2ban for Kopano Gateway and Z-Push but now I see actually the script hackers are targetting Postfix SASL. Googled how to do it, and found your article.
This is one of the best articles about Fail2ban I have seen. I love your simple example and then the variation of showing how it’s done in Plesk.
The part I mostly agree with is this:
> From our experience in managing servers, we often see Fail2ban misbehaving and not blocking the IP addresses. The reasons differ each time.
That is so totally true. It’s always something slightly different.
Thanks so much! A truly inspirational article.
@Coenraad, a fresh Ubuntu 20.04 stock Fail2ban installation doesn’t have the SASL jail.
Indeed it does have the SASL jail. And he is correct, all you have to do is enable it.