SPF-fail
#3470
Replies: 1 comment 2 replies
-
Neither you provided the log-line example nor what SMPT server do you use exactly.
it would be enough to add this to your [postfix]
mode = aggressive
failregex = %(known/failregex)s
^RCPT from [^\[]*\[<ADDR>\]: 550 5\.7\.23 \S*: Recipient address rejected:
enabled = true You can also test it (or other REs) using fail2ban-regex -vv "$msg_or_log_file_or_systemd-journal" 'postfix[mode=aggressive,failregex="^RCPT from [^\[]*\[<ADDR>\]: 550 5\.7\.23 \S*: Recipient address rejected:"]' You |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
SPF (Sender Policy Framework) helps to prevent spoofing of e-mails and is a method to prevent SPAM. SPF determines whether or not a sender is permitted to send on behalf of a domain. If the sender is not permitted to do so, that is, if the email fails the SPF check on the receiving mail server, the spam policy configured on that mail server determines what to do with the message. Mail servers with repeating SPF-fails (mail servers which send mail on behalf of a domain for which they are not authorised) can be considered SPAMmers (or compromised computers in a botnet). The e-mails are handled by the anti-SPAM software on the receiving mailserver, but these mails use capacity, so why not block the sending server!?
This can be done with filter:
failregex = SPF fail - not authorized.*ip=<HOST>.*
and
logpath = /var/log/mail.log
I runned this configuration for a while and only obscure mail servers were blocked. I can share config file and the info for jail.local.
Beta Was this translation helpful? Give feedback.
All reactions