[Mimedefang] detect failed auth

Tomasz Ostrowski tometzky at batory.org.pl
Thu Oct 9 04:37:20 EDT 2014

On 2014-09-10 16:29, David F. Skoll wrote:

> Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: dfs at hydrogen.roaringpenguin.com [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6

I've recently configured fail2ban on my CentOS5 server with blocking 
based solely on this line:
> Oct  9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834: cpe-173-88-252-250.neo.res.rr.com [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Installed fail2ban from EPEL. Created /etc/fail2ban/filter.d/smtp.conf:
# Fail2Ban filter for sendmail authentication failures

before = common.conf

_daemon = sendmail
failregex = ^ ?%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be 
forged\))? did not issue MAIL/EXPN/VRFY/ETRN during connection to (TLS)?MTA$
ignoreregex =

And created /etc/fail2ban/jail.local:
> ignoreip =
> usedns   = no
> [ssh-iptables]
> enabled  = false
> [smtp]
> enabled  = true
> filter   = smtp
> action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp, blocktype=DROP]
> logpath  = /var/log/maillog

Then simply run:
# chkconfig fail2ban on
# service fail2ban start

And bruteforce attacks slowed considerably. I think this would work also 
for CentOS/RHEL6 with no modifications.

I assumed that no legitimate client would connect with not issuing 
MAIL/EXPN/VRFY/ETRN. Definitely not more than two times in 5 minutes to 
trigger a ban.

There could be problem if some user would try to login with bad password 
more than twice in 5 minutes - he would not be able to send mail for an 

...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
                                                       Winnie the Pooh

More information about the MIMEDefang mailing list