Reglas para fail2ban 2017

# /maillog
# /secure

# DOVECOT

(?: pop3-login|imap-login): .*(?:Disconnected|Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)

# DOVECOT-(ignoreregex)

imap-login: Disconnected.*\(no auth attempts\).*



# POSTFIX

NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1\s*$
NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo=\s*$
NOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1\s*$
improper command pipelining after \S+ from [^[]*\[<HOST>\]:\s*$
NOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 454 4\.7\.1\.*
warning: \S+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
RCPT from \S+\[<HOST>\]: 454 4.7.1

# POSTFIX-(ignoreregex)

authentication failed: Connection lost to authentication server$

# SPAM
RCPT from \S+\[<HOST>\]: 550 5.7.1
RCPT from \S+\[<HOST>\]: 450 4.7.1
RCPT from \S+\[<HOST>\]: 554 5.7.1
RCPT from \S+\[<HOST>\]: 535.5.7.0
RCPT from \S+\[<HOST>\]: 535 5.7.0

# MAIL-QUOTA
NOQUEUE: milter-reject: RCPT from \S+\[<HOST>\]: 551 5.7.1

(3 email por minuto)