Fail2ban: Enable sasl jail in postfix

I missed to enable some jails in Fail2ban, thank to @gabriele_bulfon, I took a look…yeah holidays are over

  • postfix-sasl

this jail is official, the goal is to ban remote IP who try to send email from your server smtp service, after a number of bad password attempts, we ban them.

  • postfix-sasl-abuse

This is what gabriele makes me think about, it is a special need they have at sonicle (webtop developers). In short if the login/password of your account is stolen, then a spammer can abuse your server, send a lot of spam and compromise your IP reputation to the blacklist organization.

we have several ways to do it

  • smtpd_client_message_rate_limit = 10 # after 10 email the email are paused and an error occurs in logs…but if you are not aware the spammer can still abuse your server.
  • Use a custom jail to find good authentication, ban the IP if we find more of 100 connections/10minutes or like gabriele would like to do, push the login of the user in a file to reject the smtpd connection : see

smtpd_recipient_restrictions =

check_sasl_access hash:/etc/postfix/sasl_access

this feature is not enabled in our postfix configuration, but I bet than to ban the IP is good also.

what do you think @dev_team ???

From what I tested the postfix-sasl-abuse jail is trivial if we ban the IP, if we want to ban the account, then it could be a bit harder


Glad to know our work on XStream Collaboration was useful to NS7 too :wink:

Hope to have some stuff like this on Cyrus IMAP too!

1 Like

I like it.

I’d prefer this implementation rather than rely on fail2ban.
But since nobody else asked it before, I’d start with a template-custom.

I wonder if there is not two kind of issues here

one you want to slow down the usage of your smtp server
one you want to ban someone who is playing with your server.

I am not against to implement this in the mail server, just thinking it is not the same purpose.

You’re totally right, these are 2 different usage scenarios.

You can address it with smtpd_client_message_rate_limit option.
(template-custom for now)

Use the sasl postifix jail (fail2ban config almost ready to be merged)

1 Like

Not completely finished the work you set on Thursday at Pesaro…WIP :smiley:

1 Like