How to find why fail2ban banned an IP address in the plesk-postfix jail?

Question

• How to find the exact mail account which caused an IP address ban by Fail2Ban in the plesk-postfix jail?
• How to search for the exact email account that caused an IP address ban by Fail2Ban in the plesk-postfix jail?
• Can I locate the exact mailbox that caused an IP address ban by Fail2Ban in the plesk-postfix jail?

Answer

1. Connect to the server via SSH

2. Identify the Fail2Ban ban action timestamp by running the following command:

# grep 203.0.113.2 /var/log/fail2ban | grep Ban
2023-07-30 13:49:43,826 fail2ban.actions [3304]: NOTICE [plesk-postfix] Ban 203.0.113.2

3. Check /var/log/maillog (or its archived older versions) to determine the email account which repeatedly failed to authenticate in accordance with the timestamp, for example:

# grep "13:49:43" /var/log/maillog
Jul 30 13:49:43 server postfix/smtpd[22123]: connect from unknown[203.0.113.2]
Jul 30 13:49:43 server postfix/smtpd[22123]: TLS SNI mail.example.com from unknown[203.0.113.2] not matched, using default chain
Jul 30 13:49:43 server plesk_saslauthd[22173]: failed mail authentication attempt for user 'info@example.com' (password len=9)
Jul 30 13:49:43 server postfix/smtpd[22123]: warning: unknown[203.0.113.2]: SASL LOGIN authentication failed: authentication failure
Jul 30 13:49:43 server postfix/smtpd[22123]: lost connection after AUTH from unknown[203.0.113.2]

Note: If you need to, you can also list all failed mail authentication log results along with the mailboxes they are related to by executing the following command:

# grep "failed mail authentication" /var/log/maillog
Mar 6 15:10:01 server plesk_saslauthd[968782]: failed mail authentication attempt for user 'admin@example.com' (password len=11)
Mar 6 15:21:26 server plesk_saslauthd[971067]: failed mail authentication attempt for user 'info@example.com' (password len=9)
Mar 6 15:27:51 server plesk_saslauthd[972229]: failed mail authentication attempt for user 'sales@example.com' (password len=14)