Last week, I saw an huge “spam” outbreak on my MX servers. Instead of ~200k rejected SMTP connections, I had ~3M connections and it was rising. This caused some minor issues with the frequent log parsing as the log file quickly grew.
To reduce the log file size and also the DNS requests number, I decided to use fail2ban to drop the connections before they got to Exim.
This is rather easy, just create/append /etc/fail2ban/jail.local with the following:
[exim-dnsbl] enabled = true port = 25 filter = exim logpath = /var/log/exim4/rejectlog maxretry = 5
And change the following line in your /etc/fail2ban/filter.d/exim.conf:
#failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address) failregex = \[<HOST>\]:[0-9]* I=.* rejected found in dnsbl
And reload/restart fail2ban. With this simple change, I’ve returned the rejected connections to a more “normal” count (<200k per week). Should have done it earlier.
If you could dig up some log samples (and optionally make a stricter regex) this could be merged upstream. I did some recent work here (github.com/fail2ban/fail2ban/pull/251) however I haven’t run an exim server and have limited log samples to go off.
This would be a great addition to the exim filter.
Good idea, I’ll add the rejectlog lines to that post.