Mailbox search attemps flood my logs

[Franco]

Hello,
on my VPS maillog I see all sorts of hacking attempts of the kind:

plesk_saslauthd[4978]: No such user '[email protected]' in mail authorization database
plesk_saslauthd[4978]: failed mail authenticatication attempt for user '[email protected]' (password len=11)

or it can be test@ or service@, etc.

I hardly run any mail service on my VPS and I don't want to be flooded with such attempts for nonexisting mailboxes and users. How can I stop or prevent them?
I run fail2ban with various jails including dovecot and others, or shall I intervene at the firewall level?
Any help, please?
Franco

 

[IgorG]

fail2ban is better solution, I think.

 

[Franco]

I have the plesk sasl jail alreay enabled with:
[postfix-sasl]
enabled = true
maxretry = 4

but no IP addresses currently banned on that. Or is it another kind of jail I should use?

 

[trialotto]

@Franco

If you go to "Jails > Manage Filters > postfix-sasl" and inspect the regexp, then you should be aware that your regexp "failed mail authenticatication attempt for user" will not match.

A little bit of adjustment would allow Fail2Ban to actually ban some IPs.

Regards....

 

[Franco]

Hi Trialotto, thanks a lot for that, hopefully I fixed it by now. And I realized a few other jails did not have an action in place...

 

[trialotto]

@Franco,

No problem, thanks for the thanks.

By the way, I am working on some improvements for Fail2Ban: one new jail (with a specific action), some new settings and some (much desired) added functionality.

Feel free to contribute, just start a conversation if you want to do that.

Anyway, remember me to keep you posted about the before mentioned improvements.

Regards....