My fail2ban-setup was missing a filter for a certain type of attack which has a different “_daemon”-string
[postfix-sasl2]
enabled = true
banaction = iptables-allports
protocol = all
port = anyport
filter = postfix-sasl2
logpath = /var/log/mail.log
maxretry = 3
[postfix-sasl2]
enabled = true
banaction = iptables-allports
protocol = all
port = anyport
filter = postfix-sasl2
logpath = /var/log/mail.log
maxretry = 3
[postfix-sasl2] enabled = true banaction = iptables-allports protocol = all port = anyport filter = postfix-sasl2 logpath = /var/log/mail.log maxretry = 3
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtps/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+ /]*={0,2})?\s*$
# Author: Yaroslav Halchenko
ignoreregex =
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtps/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+ /]*={0,2})?\s*$
# Author: Yaroslav Halchenko
ignoreregex =
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtps/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+ /]*={0,2})?\s*$
# Author: Yaroslav Halchenko
ignoreregex =
