Ban IP's from saslauthd/postfix?

Petter Adsen petter at
Sun May 24 15:48:27 UTC 2015

On Sun, 24 May 2015 09:32:04 -0400
Ed Begens <edbegens at> wrote:

> Petter,
> You might want to consider using IPTables to slam the door on the 
> offending Botnet (and their associated IP addresses).  But, there
> might be better options out there depending on your server usage (in
> what environment it's being utilized for).

That's exactly what I want to do, but given that it is a botnet, the
connections come in from a ton of different addresses. I need something
that will see a failed attempt to authenticate, and block the address
for a long period of time. fail2ban can do this, but it doesn't have
the right mechanisms already in place for saslauthd, so I'll need to
write them.

There are an extremely limited number of people who have genuine
reasons to authenticate to the server, and I can talk to all of them,
so it would be ideal to set up a single failed attempt to block the
source IP for a week or two :) Or longer. A**holes using a botnet to
send spam are the lowest of the low. They need to be dealt with in the
harshest way possible.


> On 05/24/2015 04:13 AM, Petter Adsen wrote:
> > On Sat, 23 May 2015 22:25:53 -0400
> > Ben Coleman <oloryn at> wrote:
> >
> >> On 05/22/2015 04:35 AM, Petter Adsen wrote:
> >>> My mailserver is currently being targeted by what seems like a
> >>> botnet, probably looking to send spam. Is there something like
> >>> fail2ban I can use that will lock an IP out after a few failed
> >>> attempts to authenticate?
> >> I haven't used it with email authentication, but actually, fail2ban
> >> might do.  It has filters for more than looking for ssh
> >> authentication failures.  E.g. look at the postfix-sasl,
> >> sendmail-auth, dovecot or such filters.
> > Yes, I noticed after sending the mail - it was silly of me not to
> > check first. I still haven't got it working, though, as it seems I
> > would need to write a custom action, and I'm *really* bad at regular
> > expressions.
> >
> > If I do get it working, I will post it here (and send it to either
> > the authors or the Ubuntu maintainer) so others can use it also.
> >
> > Petter
> >
> >
> >

"I'm ionized"
"Are you sure?"
"I'm positive."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the ubuntu-users mailing list