Email spamming can ruin the IP reputation of any server!

But, what can we do to defend against spammers ?

Here, the solution is to block common spamming methods like brute-force password attacks, dictionary attacks, etc.

Fail2ban is a commonly used tool to block brute-force attacks in mail servers like Postfix.

But, configuration errors can cause Fail2ban to let through malicious connections.

That’s why, we help server owners to properly setup Fail2ban as part of our Support Services for Web Hosts.

Today, we’ll see how to setup Fail2ban Postfix SASL configuration and the common failure points.

 

Why to use Fail2ban for Postfix SASL login failure?

Fail2ban is a software that scans log files and bans IP addresses that do malicious activities. Postfix servers often use Simple Authentication and Security Layer (SASL) as a method for user authentication and data security.

Now, when this authentication fails, the log files at /var/log/mailog will have entries like this :

Aug 31 22:23:52 hostxyz postfix/smtpd[38697]: warning: unknown[192.168.xx.xx]: SASL LOGIN authentication failed: authentication failure
Aug 31 22:23:52 hostxyz postfix/smtpd[38697]: lost connection after AUTH from unknown[192.168.xx.xx]

Luckily, Fail2Ban can reduce the rate of such incorrect authentications attempts. For this, we need to configure Fail2Ban to update firewall rules to reject such IP addresses for a specified amount of time.

In addition to this, Fail2ban allows to create email notification too. And, when there is a possible attack, Fail2ban immediately alerts the server owner via email.

 

How to setup Fail2ban Postfix SASL configuration

Now, let’s have a look on how we can configure Fail2ban to block SASL login failed attempts in Postfix.

The basic configuration file of Fail2ban is available at /etc/fail2ban/local.conf. However, to make customization we need to use a local config file called /etc/fail2ban/jail.local

To configure Fail2ban for Postfix SASL, our Support Engineers add the following section in the jail.local file.

[sasl]
enabled  = true
port     = smtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 5

 

Additionally, we need to configure Fail2Ban filter for postfix authentication failures in /etc/fail2ban/filter.d/postfix-sasl.conf.

A working postfix-sasl.conf contains the following details:

# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

 

In control panels like Plesk, we can configure Fail2ban for Postfix from the panel itself.

To add a Jail, click on Tools & Settings >> IP address banning >> Jails >> Add Jail.

The graphical interface will look as shown in the picture.

Top failure points in Fail2ban Postfix SASL and fixes

From our experience in managing servers, we often see Fail2ban misbehaving and not blocking the IP addresses. The reasons differ each time.

Now, let’s have a look at these frequent failure points and their fixes.

 

1. IPs not blocked in firewall

In some servers, although Fali2ban triggers the firewall rules, the IP addresses are not blocked. Here, when we check the Iptables rules, we see all rules added properly.

This happens because Fail2ban rules act on the new connections. So, the existing connections are still able to use the Postfix server. That’s why, our Support Engineers set up firewall rules to rate-limit connections to the mail ports. As a result, we can avoid such attack attempts.

Similarly, we tweak the settings like “smtpdclientconnectionratelimit” in Postfix configuration file to rate-limit the connections.

 

2. Wrong time zone

Likewise, there was another incident where Fail2ban ran into problems.

On checking manually, everything looked alright. But, the IP addresses were not blocked again.

We further checked and found that the time zone of the mail log file was different than the server timezone. Thus, Fail2ban was not processing the log file correctly.

In order to fix it, our Support Engineers corrected the timezone of the mail log. And, Fail2ban started to work correctly.

 

3. Customization in wrong file

Again, often Fail2ban Postfix SASL configuration can go wrong, if the server owner make changes in the wrong file.

Recently, in a VPS server, customer reported problems with Fail2ban. On a detailed check, our Support Engineers could not see the modifications in the main file “/etc/fail2ban/local.conf”.

This happened because of a recent update of Fail2ban on the server. As a matter of fact, a fail2ban update will replace all the changes added in “.conf” files.

Here, we replicated all the customization in the /etc/fail2ban/jail.local file and that fixed the problem.

[Running into problems with Fail2ban Postfix SASL configuration? Our Expert engineers can fix it for you.]

Conclusion

Fail2ban comes really handy to avoid incorrect login attempts in Postfix mail servers. It can easily block the fraud IP addresses. Today, we’ve seen the major problems with Fail2ban Postfix SASL configuration and how our Support Engineers fix them.