fail2ban/config/filter.d/exim.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

# From exim source code: ./src/receive.c:add_host_info_for_log
host_info = H=\S+ (\(\S+\) )?\[<HOST>\] (?:I=\[\S+\]:\d+ )?(?:U=\S+ )?(P=e?smtp )?

failregex = ^ %(host_info)ssender verify fail for <\S+>: Unrouteable address\s*$
             ^ \S+ F=(?:<>|\S+@\S+) %(host_info)s(?:temporarily )?rejected by local_scan\(\): .{0,256}$
             ^ login authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00			`# Fail2Ban configuration file`
			`#`
			`# Author: Cyril Jaquier`
			`#`
			`#`

			`[Definition]`

			`# Option: failregex`
			`# Notes.: regex to match the password failures messages in the logfile. The`
			`# host must be matched by a group named "host". The tag "<HOST>" can`
			`# be used for standard IP/hostname matching and is only an alias for`
- Changed <HOST> template to be more restrictive. Debian bug #514163. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605 2009-02-08 17:31:24 +00:00			`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00			`# Values: TEXT`
			`#`
TST/ENH: Improve regex around exim rejected by local_scan now has test cases. Unrouteable address error messages now normalised after looking into exim code. 2013-06-15 02:34:16 +00:00
			`# From exim source code: ./src/receive.c:add_host_info_for_log`
			`host_info = H=\S+ (\(\S+\) )?\[<HOST>\] (?:I=\[\S+\]:\d+ )?(?:U=\S+ )?(P=e?smtp )?`

			`failregex = ^ %(host_info)ssender verify fail for <\S+>: Unrouteable address\s*$`
			`^ \S+ F=(?:<>\|\S+@\S+) %(host_info)s(?:temporarily )?rejected by local_scan\(\): .{0,256}$`
BF/ENH: Incorrect authentication data doesn't need tailier so that's optional. Also gained log entry for Unrouteable address 2013-06-14 08:12:53 +00:00			`^ login authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.\)\|: \d+ Time\(s\))?\s$`
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00
			`# Option: ignoreregex`
			`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
			`# Values: TEXT`
			`#`
			`ignoreregex =`