fail2ban/config/filter.d/exim.conf

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf

[Definition]

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
            ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
            ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
            ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
            ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
            ^%(pid)s no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$
            ^%(pid)s \S+ SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$

ignoreregex = 

# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
#         Daniel Black (rewrote with strong regexs)
#         Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter for exim`
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00			`#`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# This includes the rejection messages of exim. For spam and filter`
			`# related bans use the exim-spam.conf`
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00			`#`

ENH: split out exim-spam into speparate filter 2013-07-02 10:03:16 +00:00
			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# exim-common.local`
			`before = exim-common.conf`

- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00			`[Definition]`

ENH/TST: more samples and rejection types for sender verify fail and rejected RCPT 2013-07-01 11:50:35 +00:00			`failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user\|Unrouteable address\|all relevant MX records point to non-existent hosts)\s*$`
ENH: use non-capturing regex groups in exim-common and exim filters 2016-05-30 15:02:12 +00:00			`^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.\)\|: \d+ Time\(s\))?\s$`
			`^%(pid)s %(host_info)sF=(?:<>\|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted\|Sender verify failed\|Unknown user)\s*$`
			`^%(pid)s SMTP protocol synchronization error \([^)]\): rejected (?:connection from\|"\S+") %(host_info)s(?:next )?input="."\s*$`
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible 2016-05-21 14:27:16 +00:00			`^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$`
RF: for consistency use (?:XXX)? instead of (?:\|XXX) 2016-05-30 16:12:53 +00:00			`^%(pid)s SMTP protocol error in "AUTH \S(?: \S)?" %(host_info)sAUTH command used when not advertised\s*$`
			`^%(pid)s no MAIL in SMTP connection from (?:\S* )?(?:\(\S\) )?%(host_info)sD=\d+s(?: C=\S)?\s*$`
			`^%(pid)s \S+ SMTP connection from (?:\S* )?(?:\(\S\) )?%(host_info)sclosed by DROP in ACL\s$`
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00
			`ignoreregex =`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00
			`# DEV Notes:`
			`# The %(host_info) defination contains a <HOST> match`
			`#`
BF: exim filter to be DoS resistant 2013-11-12 07:13:35 +00:00			`# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy`
			`# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is`
			`# user injectable data.`
			`#`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Author: Cyril Jaquier`
			`# Daniel Black (rewrote with strong regexs)`
Additional exim regexes to cover common attacks... 2016-03-21 05:59:59 +00:00			`# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)`