Sendmail

Step by step instructions for setting up fail2ban for sendmail.

Create the filter

First, create a filter file for sendmail, typically filter.d/sendmail.conf, with the following content:

# Fail2Ban configuration file
#
# Source: http://www.the-art-of-web.com/system/fail2ban-sendmail/
# Contibutors: Gutza, the SASL regex
#
# $Revision: 0 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = \[<HOST>\] .*to MTA
#            \[<HOST>\] \(may be forged\)
            \[<HOST>\], reject.*\.\.\. Relaying denied
            (User unknown)\n* \[<HOST>\]
            badlogin: .* \[<HOST>\] plaintext .* SASL

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

You may enable the "(may be forged)" line by uncommenting it (remove the hash symbol at the beginning of the line). Observe caution about that particular regular expression, because it might cause bans on legitimate users.

Define the jail

Now you need to tell fail2ban what to do with this filter. Edit jail.conf and add the following section:

[sendmail]
enabled  = true
filter   = sendmail
action   = iptables-multiport[name=sendmail, port="pop3,imap,smtp,pop3s,imaps,smtps", protocol=tcp]
           sendmail-whois[name=sendmail, dest=you@example.com]
logpath  = /var/log/maillog

Don't forget to change you@example.com with your e-mail address.