What can I do about these connections?

Log entry:
Aug 7 22:25:37 mail postfix/submission/smtpd[62197]: disconnect from unknown[] ehlo=1 auth=0/1 rset=1 commands=2/3

About every 10 seconds. Different IP address each time; pool of about 7 IP addresses.
Never getting added to the banned list. Am I understanding this wrong? I thought it was automatic?

Thanks for some clarity.

Hi, fail2ban will block connections like that - but only when they reach a threshold number of attempts in a specific time. Presumably that source has tuned its rate to stay under the default threshold.

You could change the thresholds but note: any changes will get overwritten with MIAB updates, and be careful you don’t block legitimate traffic!

Personally, I’ve seen multiple attacks from and I blocked the entire subnet :slight_smile: I “might” miss out on real email but I’ll take that risk.

So to ask such a noob question, but where do I block the entire subnet? I have a bunch of others from my other email server I would love to block in MIAB too.

I use iptables, this should do the trick. It will disappear on reboot, so you might want to put it in a boot-time script (needs to run as root), or you can just execute it whenever 46.148.40.x are harassing you!

sudo iptables -I INPUT -s -j DROP

1 Like

Thank you for this; it has been very helpful.

Not sure if this will help but to make rules permanent run: iptables-persistent, you may need to install it first.


Take a little care with iptables-persistent. It will restore whatever was in place when the rules were saved, which might include temporary blocks added by fail2ban - blocks that you don’t really want to be persistent!

Instead of iptables you can also use fail2ban-client: For the subnet mentioned by @andrew I run: sudo fail2ban-client set recidive banip
This puts the ip/subnet in the recidive jail and blocks everything from there for 7 days (I think). Recidive is a default fail2ban jail, which can be easily used for that.

So I have zero tolerance for these folks. Is there a way I tell fail2ban to just keep them in jail for a year?

AFAIK, only when you create a new jail with a bantime for that year. There doesn’t seem to be an existing jail like this on a default MIAB installation.
But then you are deviating from the default again and might need to redo those changes after a MIAB upgrade.