Hi Manos_Gk,
please be aware, that the Fail2ban -
jails are based on the Fail2Ban -
filters they use. It is a wise idea to post both in case of any issue/problem/failure/error.
I add the
( standard filter from your Fail2Ban - package ) used filter (
postfix-sasl ) for you:
Code:
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
As you can see, the regex is quite simple and the task is to ban IP's, which have authentification failures ( "maxretry = 5" is set, so the matching IP's have to have at least 5 authentification failures, before they get a temporary ban ).
To investigate, why an IP has been banned, you should now investigate your mail - logs, to find the IP in question. Afterwards, you should investigate,
WHY the authentification failure took place.
Did the client use a wrong password, or did the client probably tried to login with only the username, instead of the full eMail - adress?
Did the client try to use an invalid certificate to authentificate?
What makes you think, that Fail2Ban didn't work as expected, when you compare the mail - log entries for that IP with the Fail2Ban - bans?