The following example protect Exim4 from external attacks, for instance open relay.
The filter consist in parsing '/var/log/exim4/rejectlog' file with messages that contains 'relay not permitted' or 'check_mail_01'. The last message is a output of a custom ACL that protect Exim server from Phishing.
[exim] enabled = true filter = exim port = smtp,ssmtp action = iptables-allports[name=exim, protocol=tcp] #action = iptables[name=exim, port="smtp", protocol=tcp] logpath = /var/log/exim4/rejectlog maxretry = 1
failregex = .*\[<HOST>\].*(?:relay not permitted|check_mail_01).*
service restart fail2ban