Recently I have found a lot of "lost connection after" entries in /var/log/maillog file:
lost connection after AUTH from unknown[IP.address]
lost connection after CONNECT
lost connection after RCPT
lost connection after STARTTLS
lost connection after UNKNOWN
It's possibly some kind of botnet trying to deliver spam using my mail server.
It won't work but it's still nice to get rid of such clients on the firewall level.
First you need to create a rule for fail2ban - create /etc/fail2ban/filter.d/postfix-auth.conf and put the following config:
# Fail2ban postfix-auth filter
before = common.conf
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
Next edit /etc/fail2ban/jail.conf and add postfix-auth service at the end of file:
enabled = true
port = smtp,ssmtp
filter = postfix-auth
action = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
bantime = 36000
findtime = 300
Finally restart fail2ban service and check /var/log/messages or iptables to see if your new rule works fine:
service fail2ban restart
grep Ban /var/log/messages
/var/log/maillog logpath is for Centos/Redhat.
For other distros make sure to point out proper mail.log file.