fail2ban is very handy in these circumstances...
Succesfull hacking attempts on Zimbra mailboxes (webmail)
I am using fail2ban but that isn't blocking login attempts from the address of the server itself, (soap protocol). It only blocks attempts to access the server from other addresses, which is working very well. I am beginning to believe that I have a malware somewhere inside my network that is attempting to login to the mail server on using addresses from a local addressbook to the machine which is infected.
Ok.... I have discovered that the system (Ubuntu 12.04) /var/log/mail.log file has the necessary entries to identify the offending IP that is attempting to authenticate to my mail server to send mail.
Aug 13 09:27:53 zimbramail postfix/smtpd: warning: unknown[x.x.x.x]: SASL PLAIN authentication failed: authentication failure
Aug 13 09:27:54 zimbramail postfix/smtpd: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed: authentication failure
Now I just have to figure out how to get fail2ban configured to monitor that log file and ban those IP addresses.
So, I had to configure an new jail rule for fail2ban... added smtp-auth.conf to filter.d folder and put :
failregex = postfix/smtpd.*\n?.*unknown\[<HOST>\].*authentication failed
in it as the regular expression definition.
enable = true
filter = smtp-auth
action = iptables[name=SMTP, port=smtp, protocol=tcp]
logpath = /var/log/mail.log
bantime = -1
to the jail.conf to have fail2ban add iptables entries to block smtp authentication failures.