<html><body><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000"><div><style style="display:none;"> P {margin-top:0;margin-bottom:0;} </style></div><div>Hi Mark,<br></div><div>here we go whit this regexp:<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>grep -P 'postfix\/submission\/smtpd\[\d+\]: warning: .*\[(.*)\]: SASL \w+ authentication failed: authentication failure$' /var/log/zimbra.log</div><div><br data-mce-bogus="1"></div><div>This will match only submission port.<br></div><div>On fail2ban you need a new filter with this rule like this :<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$<br><br data-mce-bogus="1"></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>Da: </b>"L Mark Stone" <lmstone@lmstone.com><br><b>A: </b>"users" <users@lists.zetalliance.org><br><b>Inviato: </b>Martedì, 2 giugno 2020 23:13:54<br><b>Oggetto: </b>[Users] Help Request: Fail2ban for SASL-Auth Only<br></blockquote></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Regular expressions are a weak point with me and I've got DoSFilter working just fine already.
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
What I'm looking to do is implement Fail2ban -- but just for SASL-Auth failures on port 587, and leave DoSFilter keeping watch on mailboxd.<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I've looked at a number of older Zimbra-fail2ban web sites, and none of the regex's there seem to match what I see in my logs for SASL-Auth failures.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
If anyone has pointers to newer Zimbra fail2ban guides, especially if they work with Ubuntu's UFW, I'd be grateful.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thanks in advance,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Mark<br>
</div>
<div>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<p style="margin-top:0px; margin-bottom:0px"><strong>_________________________________________________</strong></p>
<p style="margin-top:0px; margin-bottom:0px"><strong>L. Mark Stone</strong></p>
<p style="margin-top:0px; margin-bottom:0px"><strong>Mission Critical Email LLC</strong></p>
<p style="margin-top:0px; margin-bottom:0px"><strong>mark.stone@missioncriticalemail.com<br>
</strong></p>
<p style="margin-top:0px; margin-bottom:0px"><br>
</p>
</div>
</div>
</div><br></blockquote></div></div></body></html>