fail2ban postfix-sasl.conf not working with default filter
I have installed my server using the The Perfect Server - Debian 8 Jessie (Apache2, BIND, Dovecot, ISPConfig 3) and have been testing out the fail2ban part.
With the default filter in postfix-sasl.conf it was not catching all the attempted failed logins in mail.log.
I spent a while testing this and could not get myself banned using Thunderbird and repeatedly trying incorrect passwords. I have set this jail to work on ports 25 and 465.
I used fail2ban-regex to test the logs and found that if they look like the following they were being missed:
Sep 18 20:04:57 ?????? postfix/smtps/smtpd[25905]: warning: ???.???.???.???.some.host.net[???.???.???.???]: SASL LOGIN authentication failed: UGFzd3dvgaQ7
(?s are IP numbers and plain text etc...)
I had a look and found a replacement filter and tweaked it a little so it caught all these lines, it now looks like the following:
failregex = (?i): warning: [-._\w]+[]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$
Using fail2ban-regex with this filter it now catches all these attempted logins.
This filter now works if I attempt to login with incorrect details and I get banned as expected.