If you are running a mail server based on Postfix, than chances are good that at least once someone has tried to brute force a login to your server. Recently, we were involved in a complete server rebuild for a client moving from Ubuntu to Debian. Part of this build required locking down Postfix to mitigate brute force logins. While we have been using the below configuration (loosely based on this method) for years now, we realized that we have yet to document the process. Below we will configure Fail2ban to easily prevent a Postfix brute force attack by blocking an offending IP address after a set number of invalid login attempts. For the purpose of this article, we will be using Debian 8 although the same configuration also works on Ubuntu 14.04 and above. First you will need to install the Fail2ban software and create your base configuration as shown below.
# install fail2ban apt-get install fail2ban # create base config files touch /etc/fail2ban/jail.d/default.conf touch /etc/fail2ban/jail.d/postfix.conf
Next, you will need to edit your newly created files to reflect the configuration below. Note that we will not be editing Fail2ban’s default configuration. Our default.conf below will override the default configuration settings and our postfix.conf will override the default postfix settings in jail.conf. For specific documentaion on each setting, please open and review /etc/fail2ban/jail.conf
default.conf
[DEFAULT] ignoreip = 127.0.0.1/8 backend = polling destemail = your-admin-email@domain.com sendername = Fail2Ban Admin sender = fail2ban@domain.com action = %(action_mw)s
postfix.conf
[postfix] enabled = true findtime = 3600 bantime = 3600 port = smtp,ssmtp,submission filter = postfix logpath = /var/log/mail.log [sasl] enabled = true findtime = 3600 bantime = 3600 port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = postfix-sasl logpath = /var/log/mail.warn
Once your configuration files are modified as required, simply restart the fail2ban service and take a look at the log at /var/log/fail2ban.log to ensure your newly created configuration is working as seen below.
