Fail2ban Postfix SASL Troubleshooting


On some Virtualmin server you may find that Fail2ban is logging events, but soon realize that due to the amount of “already banned” messages appearing something is clearly wrong. This is a big problem because Postfix SASL attacks is probably the most common password guessing script that will be running against your server.

This article gives a number of terminal commands that can be use to troubleshoot when encountering this rather important issue.

Seeing which jails are active

fail2ban-client status


|- Number of jail: 6
`- Jail list: dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth

Getting the status of a jail

fail2ban-client status postfix-sasl


Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 10
| |- Total failed: 362
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list:

Testing Regular Expression Matching

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf 


Running tests

Use failregex filter file : postfix, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/mail.log
Use encoding : UTF-8


Failregex: 13 total
|- #) [# of hits] regular expression
| 1) [5] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s
| 7) [8] ^from [^[]*\[<HOST>\](?::\d+)?:?

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [200257] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?

Lines: 200257 lines, 0 ignored, 13 matched, 200244 missed
[processed in 14.60 sec]

Missed line(s): too many to print. Use --print-all-missed to print all 200244 lines


Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top