Ban IP's from saslauthd/postfix?

Ed Begens edbegens at
Sun May 24 16:07:03 UTC 2015

Hi Petter,

IPtables can be quite intimidating, but there are quite a few resources 
on the web and from ubuntu on it.  A quick fix, *if you need it right 
now*, would be as follows:

But note, there is much, much more to know about IPtables, please read 
all you can before you start to utilize it.

The example will show how to block a range of addresses below.  It will 
not be persistent upon a server reboot.

For an IP address, using an example,

To block 116.10.191.* addresses:

|$ sudo iptables -A INPUT -s -j DROP|

To block 116.10././ addresses:

|$ sudo iptables -A INPUT -s -j DROP|

To block 116././.* addresses:

|$ sudo iptables -A INPUT -s -j DROP


On 05/24/2015 11:48 AM, Petter Adsen wrote:
> On Sun, 24 May 2015 09:32:04 -0400
> Ed Begens <edbegens at> wrote:
>> Petter,
>> You might want to consider using IPTables to slam the door on the
>> offending Botnet (and their associated IP addresses).  But, there
>> might be better options out there depending on your server usage (in
>> what environment it's being utilized for).
> That's exactly what I want to do, but given that it is a botnet, the
> connections come in from a ton of different addresses. I need something
> that will see a failed attempt to authenticate, and block the address
> for a long period of time. fail2ban can do this, but it doesn't have
> the right mechanisms already in place for saslauthd, so I'll need to
> write them.
> There are an extremely limited number of people who have genuine
> reasons to authenticate to the server, and I can talk to all of them,
> so it would be ideal to set up a single failed attempt to block the
> source IP for a week or two :) Or longer. A**holes using a botnet to
> send spam are the lowest of the low. They need to be dealt with in the
> harshest way possible.
> Petter
>> On 05/24/2015 04:13 AM, Petter Adsen wrote:
>>> On Sat, 23 May 2015 22:25:53 -0400
>>> Ben Coleman <oloryn at> wrote:
>>>> On 05/22/2015 04:35 AM, Petter Adsen wrote:
>>>>> My mailserver is currently being targeted by what seems like a
>>>>> botnet, probably looking to send spam. Is there something like
>>>>> fail2ban I can use that will lock an IP out after a few failed
>>>>> attempts to authenticate?
>>>> I haven't used it with email authentication, but actually, fail2ban
>>>> might do.  It has filters for more than looking for ssh
>>>> authentication failures.  E.g. look at the postfix-sasl,
>>>> sendmail-auth, dovecot or such filters.
>>> Yes, I noticed after sending the mail - it was silly of me not to
>>> check first. I still haven't got it working, though, as it seems I
>>> would need to write a custom action, and I'm *really* bad at regular
>>> expressions.
>>> If I do get it working, I will post it here (and send it to either
>>> the authors or the Ubuntu maintainer) so others can use it also.
>>> Petter

More information about the ubuntu-users mailing list