From Fail2ban
Jump to: navigation, search

For exim4: Fail2ban should ban all IPs that are successfully found in a DNSRBL:

H=.* [[](?P<host>\S*)[]] .* rejected RCPT .* is listed at .*

To ban the host after the first seen listing:

# ban ips listed in a dns realtime-blacklist
enabled = true
port    = smtp,ssmtp
filter  = exim4
logpath = /var/log/exim4/mainlog
# ban immediately
maxretry = 0
# ban almost 6h
bantime  = 20000

Please review this. I think this works so far.

How can I just ban only the SMTP ports and not all ports?

Regards, Adrian.