fail2ban looks in wrong log for postfix

Status changed to 'Confirmed' because the bug affects multiple users.

This may also be related to the following bugs.

#1482899
#1669512
#1645693

If postfix jail is enabled at time of upgrade, upgrading fails because when fail2ban attempts to restart after upgrade, it can't find the postfix log file now set in paths-delian.conf.

Also occurs if dovecot jail is enabled, because by default, dovecot jail looks in the same log file as postfix jail.

Seven months old and no progress on fixing this SECURITY BUG?

Seems to have been fixed upstream with the package:
 https://github.com/fail2ban/fail2ban/commit/57ea38c342b2caa17b61a8cd17f142c218fd0742

and in 0.10.2-2.1 in Debian, but not backported to 0.9.6-2 in Debian or 0.9.3-1 in Ubuntu 16.04.5 LTS, so this is still failing to detect certain attempted intrusions.

on 18.04 LTS this is still an issue. mail.warn just does not include all the intrusion attempts making it complicated to jail them. An example is on of the default filter rules:

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$

It simply does not appear in mail.warn but it does in mail.log .

What would be a work around in stead of waiting for a fix?

Still present in 18.04LTS. For instance the first postfix jail filter rule catching RBL blacklisted intruders:

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$

It simply does not appear in mail.warn making the rule basically useless.

I will repost this on https://github.com/fail2ban/fail2ban/issues

I posted it as https://github.com/fail2ban/fail2ban/issues/2589