fail2ban SASL

I installed fail2ban on a mail server yesterday, to deal with a specific hassle related to a huge number of hits to our (clients-who-send-mail) SMTP infrastructure. It did little good. I became aware the problem was that the authentication attempts were via SASL. So, I enabled SASL. Nothing. Then I found a good forum post. Long story short, modify /etc/fail2ban/filter.d/sasl.conf as follows:

#failregex = : warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$

It works great.

Tags: