Enrico Rossi

How to ban Postfix SASL LOGIN authentication failed in Debian Bullseye.

I have spent sometime to find the reason why my fail2ban installation seems not to be able to catch these lines. The answer in the end was quite simple: If you log using systemd, then you need to specify a journalmatch line to filter out those lines properly.

This type of connections:

Mar  5 10:01:40 hostname postfix/smtpd[88112]: warning: unknown[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

can be filtered out with this setup in /etc/fail2ban/jail.d/jail.local

backend = systemd
bantime = 1d
maxretry = 2
findtime = 1d

enabled = true

enabled = true
mode = aggressive
journalmatch = SYSLOG_IDENTIFIER=postfix/smtpd

enabled = true

This works on Debian Bullseye and Debian Buster and fail2ban default installation.