Just use Postfix directly to filter IPs using blocklists:
See http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions to reject using blocklist(s). Also read about the best place to put it in main.cf
.
Here is a sample of some RBL entries (#Check Blocklists:
portion) you could add to block blacklisted IPs. I have placed mine under smtpd_recipient_restrictions
as it is an "expensive" check (server load and remote server RBL calls). If done earlier (for instance under smtpd_helo_restrictions
) you tend to query the given RBL/blocklist site many times for nothing.
/etc/postfix/main.cf
:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unauth_pipelining,
check_client_access hash:/etc/postfix/blacklist,
#Check Blocklists:
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dul.dnsbl.sorbs.net,
#Postgrey:
#finalize and throw at postgrey if passes above:
#check_policy_service inet:[::1]:10023,'
permit
If you really want to use Fail2Ban for blocklist processing:
Use a Fail2Ban filter like f2b-postfix-rbl (postfix-rbl.conf) to filter the mail log for blocklist/blacklisted IP entries. It would then insert a new entry into iptables and it would be blocked for given ban time. You should state a ban time in specific jail definitions if not happy with default.
Just restarting F2B or server, as stated in another answer, does not normally clear the bans before ban time expires. You will need to use fail2ban-client
.
And most importantly, Postfix + F2B + Banning will not help much as the script/bot/mailer will just move on after 1st failure and try you again on a different day from a different IP. Why outright IP banning (using F2B) is usually taking it a bit overboard (more server workload for nothing).
If you insist on fail2ban processing blocklists, make sure you enable it under a /etc/failban/jail.local:
[postfix-rbl]
enabled = true
port = smtp,465,submission
filter = postfix-rbl
logpath = /var/log/mail.log
To use rbl "mode" under newer versions, substitute the filter line with:
filter = postfix[mode=rbl]
On earlier versions I had to change mine to detect "554 5.7.1" to pick up postfix log rejects via "postifx-rbl" filter. The newer version of filter seems to scan for this change under newer rbl "mode" versions.
As far as SYN flood - see this.