On my server, Postfix works as an outgoing mail server, that is, it only sends mail from sites. Naturally, the 25th port is open. But most of the time all the bots are trying to use the server as an open relay. :) Naturally, they do not succeed, for the rules are set. But logs litter.
Some bots are connected, immediately terminate the connection, not really exchanging information with the server. Something like this gets into the logs:
Apr 8 21:15:20 omega postfix / smtpd [3075]: connect from unknown [189.158.233.139] Apr 8 21:15:21 omega postfix / smtpd [3075]: lost connection after UNKNOWN from unknown [189.158.233.139] Apr 8 21:15:21 omega postfix / smtpd [3075]: disconnect from unknown [189.158.233.139] Apr 8 21:16:00 omega postfix / smtpd [3075]: warning: hostname dsl-189-158-233-139-dyn.prod-infinitum.com.mx does not resolve to address 189.158.233.139: Name or service not known
Since I also installed fail2ban to combat brute force on blogs , the solution was found rather quickly. This and want to share with you. :)
First of all open the filter configuration file for Postfix. It is located in the /etc/fail2ban/filter.d/postfix.conf directory. Find the failregex parameter and add the following regular expression from the new line:
^% (__ prefix_line) sdisconnect from \ S + \ [\]
Save the file. Now check the regulars with the command:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
I finally issued 100,500 ip-addresses, including by the standard rule. :)
Last step: open the main configuration file - /etc/fail2ban/jail.conf. Find the [postfix] directive and turn on the filter.
enabled = true
Restart Fail2ban. That's all.