Exim, DNS blacklists and fail2ban

Last week, I saw an huge “spam” outbreak on my MX servers. Instead of ~200k rejected SMTP connections, I had ~3M connections and it was rising. This caused some minor issues with the frequent log parsing as the log file quickly grew.

To reduce the log file size and also the DNS requests number, I decided to use fail2ban to drop the connections before they got to Exim.

This is rather easy, just create/append /etc/fail2ban/jail.local with the following:

[exim-dnsbl]

enabled  = true
port     = 25
filter   = exim
logpath  = /var/log/exim4/rejectlog
maxretry = 5

And change the following line in your /etc/fail2ban/filter.d/exim.conf:

#failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
failregex = \[<HOST>\]:[0-9]* I=.* rejected found in dnsbl

And reload/restart fail2ban. With this simple change, I’ve returned the rejected connections to a more “normal” count (<200k per week). Should have done it earlier.

This entry was posted in Computer, Linux. Bookmark the permalink.

2 Responses to Exim, DNS blacklists and fail2ban

  1. Daniel Black says:

    If you could dig up some log samples (and optionally make a stricter regex) this could be merged upstream. I did some recent work here (github.com/fail2ban/fail2ban/pull/251) however I haven’t run an exim server and have limited log samples to go off.

    This would be a great addition to the exim filter.

  2. xenadmin says:

    Good idea, I’ll add the rejectlog lines to that post.

Leave a Reply

Your email address will not be published. Required fields are marked *