Hello

I think someone using my mail server for spamin. My maillog shoowing like this

lost connection after AUTH from unknown
disconnect from unknown

I this is botnet attack..I configured the fail2ban but fail2ban unble to block all of this ip address

fail2ban status
systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-01-04 18:21:01 CET; 18min ago
Docs: man:fail2ban(1)
Process: 51974 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 51984 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 51987 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─51987 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Jan 04 18:21:01 dcvn001 systemd[1]: Starting Fail2Ban Service...
Jan 04 18:21:01 dcvn001 fail2ban-client[51984]: 2017-01-04 18:21:01,245 fail2ban.server [51985]: INFO Starting Fail2ban v0.9.5
Jan 04 18:21:01 dcvn001 fail2ban-client[51984]: 2017-01-04 18:21:01,245 fail2ban.server [51985]: INFO Starting in daemon mode
Jan 04 18:21:01 dcvn001 systemd[1]: Started Fail2Ban Service.

....
Please help me how to solve this issues

I think a huge bunch are actively trying to break into other people's mail servers (not just yours) to recruit them into their botnet.

The message:
is pretty normal.

Because of limited information your provide, apart from the above nothing more can be inferred. Check more of the mail, fail2ban, access logs. Can you tell if you mail server is an open relay or not?

I think a huge bunch are actively trying to break into other people's mail servers (not just yours) to recruit them into their botnet.

The message:
is pretty normal and expected from any public-facing services.

Because of limited information your provide, apart from the above nothing more can be inferred. Check more of the mail, fail2ban, access logs. Can you tell if you mail server is an open relay or not?

Hello

Thanks for reply

I test the open realy on MXtool box.
Here is the result
Connecting to xx.xx.xx.xx

220 xxxxxxxxx.com ESMTP Postfix [641 ms]
EHLO PWS3.mxtoolbox.com
250-xxxxxxxxx.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [641 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 2.1.0 Ok [641 ms]
RCPT TO:<test@example.com>
454 4.7.1 <test@example.com>: Relay access denied [641 ms]

What makes you think that?

here shows
20 hits in "current" log.
101 in zgrep output from Dec 1, 2016 to Jan 3, 2017
Quite "normal" IMO on my network.

I use fail2ban to keep that in check.
The [sasl] jail in /etc/fail2ban/jail.conf shows
I presume you know how to manage fail2ban to enable this jail.
Here's a test you can run, in advance to see if fail2ban is gonna catch hits using the enabled [sasl] jail.
"disconnect from unknown" is when the rDNS isn't set on the remote host making the connection attempt,
or a temporary DNS failure to resolve the remote host.
is one from my recent logs.

My fail2ban sasl jail shows:
Good luck.