<html><body><div style="font-family: verdana,helvetica,sans-serif; font-size: 10pt; color: #000000"><div><style style="display:none">While /*<![CDATA[*/P {
margin-top: 0;
margin-bottom: 0;
}
/*]]>*/</style></div><div style="font-family: verdana,helvetica,sans-serif; font-size: 10pt; color: #000000"><div></div>I created this repo in the past:</div><div style="font-family: verdana,helvetica,sans-serif; font-size: 10pt; color: #000000"><a href="https://gitlab.com/yetopen/zimbra-fail2ban">https://gitlab.com/yetopen/zimbra-fail2ban</a></div><div style="font-family: verdana,helvetica,sans-serif; font-size: 10pt; color: #000000">if it's not up to date please submit PR or note so I can keep it up to date.</div><div style="font-family: verdana,helvetica,sans-serif; font-size: 10pt; color: #000000"><br data-mce-bogus="1"></div><div style="font-family: verdana,helvetica,sans-serif; font-size: 10pt; color: #000000">(I didn't recieve Mark's original message)<br><br><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Manuel Garbin" <manuel@studiostorti.com><br><b>To: </b>"L Mark Stone" <lmstone@lmstone.com><br><b>Cc: </b>"users" <users@lists.zetalliance.org><br><b>Sent: </b>Wednesday, June 3, 2020 7:30:00 AM<br><b>Subject: </b>Re: [Users] Help Request: Fail2ban for SASL-Auth Only<br></blockquote></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div style="font-family:'arial' , 'helvetica' , sans-serif;font-size:12pt;color:#000000"><div>Hi Mark,<br></div><div>here we go whit this regexp:<br></div><br><div>grep -P 'postfix\/submission\/smtpd\[\d+\]: warning: .*\[(.*)\]: SASL \w+ authentication failed: authentication failure$' /var/log/zimbra.log</div><br><div>This will match only submission port.<br></div><div>On fail2ban you need a new filter with this rule like this :<br></div><br><div>failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[<HOST>\]: SASL \w+ authentication failed: authentication failure$<br><br></div><br><hr id="zwchr"><div><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:'helvetica' , 'arial' , sans-serif;font-size:12pt"><b>Da: </b>"L Mark Stone" <lmstone@lmstone.com><br><b>A: </b>"users" <users@lists.zetalliance.org><br><b>Inviato: </b>Martedì, 2 giugno 2020 23:13:54<br><b>Oggetto: </b>[Users] Help Request: Fail2ban for SASL-Auth Only<br></blockquote></div><div><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:'helvetica' , 'arial' , sans-serif;font-size:12pt">
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
Regular expressions are a weak point with me and I've got DoSFilter working just fine already.
<br>
</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
<br>
</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
What I'm looking to do is implement Fail2ban -- but just for SASL-Auth failures on port 587, and leave DoSFilter keeping watch on mailboxd.<br>
</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
<br>
</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
I've looked at a number of older Zimbra-fail2ban web sites, and none of the regex's there seem to match what I see in my logs for SASL-Auth failures.</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
<br>
</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
If anyone has pointers to newer Zimbra fail2ban guides, especially if they work with Ubuntu's UFW, I'd be grateful.</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
<br>
</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
Thanks in advance,</div>
<div style="font-family:'calibri' , 'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )">
Mark<br>
</div>
<div>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:'calibri' , 'arial' , 'helvetica' , sans-serif">
<p style="margin-top:0px;margin-bottom:0px"><strong>_________________________________________________</strong></p>
<p style="margin-top:0px;margin-bottom:0px"><strong>L. Mark Stone</strong></p>
<p style="margin-top:0px;margin-bottom:0px"><strong>Mission Critical Email LLC</strong></p>
<p style="margin-top:0px;margin-bottom:0px"><strong>mark.stone@missioncriticalemail.com<br>
</strong></p>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
</div>
</div>
</div></blockquote></div></div></blockquote></div><br><br><div data-marker="__SIG_POST__">-- <br></div><div>Lorenzo Milesi - lorenzo.milesi@yetopen.it<br><br><br></div></div></div>
<br><div>
<a href="https://www.yetopen.it">
<img src="https://logo.ufficyo.com/logo_yetopen_firma_email.png" alt="YetOpen S.r.l." />
</a>
<br />
Via Salerno 18 - 23900 Lecco - ITALY -<br />
Tel +39 0341 220 205 - Fax +39 178 6070 222<br />
<br />
<em><font color="#77bb41">Think green</font> - Non stampare questa e-mail se non necessario / Don't print this email unless necessary</em><br />
<br />
<font style="font-size: 9px; color: rgb(162, 162, 162);">
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------<br />
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.<br />
<br />
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.<br />
</font>
</div>
<br></body></html>