Postfix Log Report

Pflogsumm is a great tool to create a summary of Postfix logs. Install it with:

apt update && apt install pflogsumm

Example: Use the following command to generate a report for today:

pflogsumm -d today /var/log/mail.log

Further Reading: https://linux.die.net/man/1/pflogsumm

You can add a cron job to make pflogsumm to send a report to your email address every day.

crontab -e

Add the following line, which will generate a report every day at 4:00 AM:

0 4 * * * /usr/sbin/pflogsumm -d yesterday /var/log/mail.log --problems-first --rej-add-from --verbose-msg-detail -q | mutt -s "Postfix log summary"  your-email-address

The output of pflogsumm command is redirected to mutt, a command line mail user agent, which will use the output as the email body and send it to the email address you specify at the end. Of course, you need to install mutt on your Linux server:

apt update && apt install mutt

Stop SMTP AUTH Flood using Fail2Ban

Create the file:

nano /etc/fail2ban/jail.d/postfix-flood-attack.local

[postfix-flood-attack]
enabled  = true
bantime  = 30m
maxretry = 5
filter   = postfix-flood-attack
action   = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath  = /var/log/mail.log

Now create the filter:

nano /etc/fail2ban/filter.d/postfix-flood-attack.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

Stop Repeat Senders Who Failed Postfix Check with Fail2Ban

nano /etc/fail2ban/jail.d/postfix-flood-attack.local

[postfix]
enabled = true
maxretry = 3
bantime = 1h
filter = postfix
logpath = /var/log/mail.log

Now create the filter:

nano /etc/fail2ban/filter.d/postfix.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

The [postfix] jail will use the builtin filter shipped with Fail2ban (/etc/fail2ban/filter.d/postfix.conf). Save and close the file. Then restart Fail2ban.

systemctl restart fail2ban