Would it be wise if I modify postfix fail2ban rule from this:
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
by adding following line:
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.1\.1 .*$
Because I'm trying to prevent attacks like this:
Jan 27 09:42:02 host1 postfix/smtpd[3416]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unkn
own in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:42:03 host1 postfix/smtpd[3416]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown
in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:55:32 host1 postfix/smtpd[4914]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unk
nown in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:55:32 host1 postfix/smtpd[4914]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown
in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
My concern is that it will drop unintentional wrong emails that should be bounced back to users who missed email address by accident.
What's your suggestions?
My suggestion for you is to use postscreen, more information here: http://www.postfix.org/POSTSCREEN_README.html
This puts the whole load away from the MTA by doing some clever checks. The bots will never make it until there which is the way it should be.
If your setup doesn't allow for postscreen to be installed the use of a policy daemon with rate limits might come in handy.
There is always a balance to find with this sort of thing. A one off or infrequent failure is probably a mistake on the senders part. Multiple failures in a short time are likely an indication that you want to put a (temporary) ban in place.
This is why fail2ban has parameters that you can use to tune the sensitivity. For example you can set maxretry and findtime. The maxretry setting is the number of failed attempts that will be tolerated within the findtime any more than this and the address will be banned.
I would cast an eye over the file and get a feel for what's happening and set the parameters appropriately.