fail2ban/config/filter.d/postfix.conf

# Fail2Ban filter for selected Postfix SMTP rejections
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix(-\w+)?/[^/\[:\s]+(?:/smtp[ds])?
_port = (?::\d+)?
_pref = [A-Z]{4,}

prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$

# Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this:
exre-user = |[Uu](?:ser unknown|ndeliverable address)  ; pragma: codespell-ignore

mdpr-normal = (?:\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \S+)
mdre-normal=^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|Access denied|(?:Client host|Command|Data command) rejected|Relay access denied|Malformed DNS server reply|(?:Host|Domain) not found|need fully-qualified hostname|match%(exre-user)s)\b
            ^from [^[]*\[<HOST>\]%(_port)s:?

mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).

# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
mdpr-rbl = %(mdpr-normal)s
mdre-rbl  = ^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b

# Mode "rbl" currently included in mode "normal" (within 1st rule)
mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s

# Includes some of the log messages described in
# <http://www.postfix.org/POSTSCREEN_README.html>.
mdpr-ddos = (?:lost connection after (?!(?:DATA|AUTH)\b)[A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?

mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
            %(mdre-normal)s

mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
                  %(mdre-normal)s

mdpr-errors = too many errors after \S+
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$


failregex = <mdre-<mode>>

# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
# Usage example (for jail.local):
#   [postfix]
#   mode = aggressive
#
#   # or another jail (rewrite filter parameters of jail):
#   [postfix-rbl]
#   filter = postfix[mode=rbl]
#
#   # jail to match "too many errors", related postconf `smtpd_hard_error_limit`:
#   # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)
#   [postfix-many-errors]
#   filter = postfix[mode=errors]
#   maxretry = 1
#
mode = more

ignoreregex = 

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service _SYSTEMD_UNIT=postfix@-.service

# Author: Cyril Jaquier
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 11 years ago			`# Fail2Ban filter for selected Postfix SMTP rejections`
- Added qmail and postfix filters - Updated vsftpd and couriersmtp git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@331 a942ae1a-1317-0410-a47c-b1dcaea8d605 18 years ago			`#`
			`#`

ENH: Improve postfix regex and add more samples 12 years ago			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`

- Added qmail and postfix filters - Updated vsftpd and couriersmtp git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@331 a942ae1a-1317-0410-a47c-b1dcaea8d605 18 years ago			`[Definition]`

no space in any case 9 months ago			`_daemon = postfix(-\w+)?/[^/\[:\s]+(?:/smtp[ds])?`
postfix postscreen (resp. other RBL's compatibility fix) / gh-1764 7 years ago			`_port = (?::\d+)?`
consider CONNECT and other rejected commands as a valid `_pref`; closes gh-3800 4 months ago			`_pref = [A-Z]{4,}`
ENH: Improve postfix regex and add more samples 12 years ago
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297. 7 years ago			`prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$`
Several filters optimized with pre-filtering using new option `prefregex` 8 years ago
filter.d/postfix.conf: matches rejects with "undeliverable address" (sender/recipient verification, gh-3039) additionally to "Unknown user"; both are configurable now via extended parameter and can be disabled using `exre-user=` supplied in filter parameters 4 years ago			`# Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this:`
Add pragma to ignore a codespell-detected typoin postfix.conf 1 year ago			`exre-user = \|[Uu](?:ser unknown\|ndeliverable address) ; pragma: codespell-ignore`
filter.d/postfix.conf: matches rejects with "undeliverable address" (sender/recipient verification, gh-3039) additionally to "Unknown user"; both are configurable now via extended parameter and can be disabled using `exre-user=` supplied in filter parameters 4 years ago
filter.d/postfix.conf: extended to cover new vectors: - reject: BDAT/DATA from (gh-2927) - (since regex is more precise now) token selector changed to `[A-Z]{4}`, e. g. no matter what a command is supplied now (RCPT, EHLO, VRFY, DATA, BDAT or something else) - matches "Command rejected" and "Data command rejected" now 4 years ago			`mdpr-normal = (?:\w+: (?:milter-)?reject:\|(?:improper command pipelining\|too many errors) after \S+)`
filter.d/postfix.conf: add Sender address rejected: Malformed DNS server reply (#3590) * add Sender address rejected: Malformed DNS server reply 8 months ago			`mdre-normal=^%(_pref)s from [^[]\[<HOST>\]%(_port)s: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]>)?: )?(?:(?:Helo command\|(?:Sender\|Recipient) address) rejected: )?(?:Service unavailable\|Access denied\|(?:Client host\|Command\|Data command) rejected\|Relay access denied\|Malformed DNS server reply\|(?:Host\|Domain) not found\|need fully-qualified hostname\|match%(exre-user)s)\b`
Merge branch 'master' into 0.10 # Conflicts resolved: # config/filter.d/postfix-rbl.conf # config/filter.d/postfix-sasl.conf # config/filter.d/postfix.conf # fail2ban/tests/files/logs/postfix-sasl 7 years ago			`^from [^[]*\[<HOST>\]%(_port)s:?`
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297. 7 years ago
			`mdpr-auth = warning:`
Merge branch 'master' into 0.10 # Conflicts resolved: # config/filter.d/postfix-rbl.conf # config/filter.d/postfix-sasl.conf # config/filter.d/postfix.conf # fail2ban/tests/files/logs/postfix-sasl 7 years ago			`mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN\|PLAIN\|(?:CRAM\|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server\| Invalid authentication mechanism)`
			`mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN\|PLAIN\|(?:CRAM\|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)`
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297. 7 years ago			`# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).`

			`# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:`
			`mdpr-rbl = %(mdpr-normal)s`
filter.d/postfix.conf: extended to cover 2 new vectors: - RCPT from unknown, 504 5.5.2, need fully-qualified hostname, gh-2995 - 550 5.7.25 Client host rejected, gh-2996 review combining several regex to single one 4 years ago			`mdre-rbl = ^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b`
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297. 7 years ago
			`# Mode "rbl" currently included in mode "normal" (within 1st rule)`
			`mdpr-more = %(mdpr-normal)s`
			`mdre-more = %(mdre-normal)s`

Handle postscreen's PREGREET and HANGUP messages Provoking those seems to be a popular activity among spammers. 4 years ago			`# Includes some of the log messages described in`
			`# <http://www.postfix.org/POSTSCREEN_README.html>.`
filter.d/postfix.conf: avoid double counting ('lost connection after AUTH' together with message 'disconnect ...'); closes gh-3505 11 months ago			`mdpr-ddos = (?:lost connection after (?!(?:DATA\|AUTH)\b)[A-Z]+\|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]\|\d\d+))\|(?:PREGREET \d+\|HANGUP) after \S+\|COMMAND (?:TIME\|COUNT\|LENGTH) LIMIT)`
Merge branch 'master' into 0.10 # Conflicts resolved: # config/filter.d/postfix-rbl.conf # config/filter.d/postfix-sasl.conf # config/filter.d/postfix.conf # fail2ban/tests/files/logs/postfix-sasl 7 years ago			`mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?`
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297. 7 years ago
			`mdpr-extra = (?:%(mdpr-auth)s\|%(mdpr-normal)s)`
			`mdre-extra = %(mdre-auth)s`
			`%(mdre-normal)s`

			`mdpr-aggressive = (?:%(mdpr-auth)s\|%(mdpr-normal)s\|%(mdpr-ddos)s)`
			`mdre-aggressive = %(mdre-auth2)s`
			`%(mdre-normal)s`

filter.d/postfix.conf: extended with new postfix filter mode `errors` to match "too many errors" (gh-2439), also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`) 6 years ago			`mdpr-errors = too many errors after \S+`
			`mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$`
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297. 7 years ago

			`failregex = <mdre-<mode>>`

			`# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)`
			`# Usage example (for jail.local):`
			`# [postfix]`
			`# mode = aggressive`
filter.d/postfix.conf: extended with new postfix filter mode `errors` to match "too many errors" (gh-2439), also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`) 6 years ago			`#`
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297. 7 years ago			`# # or another jail (rewrite filter parameters of jail):`
			`# [postfix-rbl]`
			`# filter = postfix[mode=rbl]`
			`#`
filter.d/postfix.conf: extended with new postfix filter mode `errors` to match "too many errors" (gh-2439), also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`) 6 years ago			# # jail to match "too many errors", related postconf `smtpd_hard_error_limit`:
			`# # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)`
			`# [postfix-many-errors]`
			`# filter = postfix[mode=errors]`
			`# maxretry = 1`
			`#`
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297. 7 years ago			`mode = more`
- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request #1283304 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@458 a942ae1a-1317-0410-a47c-b1dcaea8d605 18 years ago
- Defined default values in .conf. Should fix Debian bug #398758 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@464 a942ae1a-1317-0410-a47c-b1dcaea8d605 18 years ago			`ignoreregex =`
NF: Add systemd journal backend 12 years ago
			`[Init]`

Maintain backward compatibility Postfix SYSTEMD_UNIT 9 months ago			`journalmatch = _SYSTEMD_UNIT=postfix.service _SYSTEMD_UNIT=postfix@-.service`
MRG: 0.8.11 to 0.9 Epnoc of selinux is now true UTC Merge multiline support and date detection in filter 11 years ago
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 11 years ago			`# Author: Cyril Jaquier`