fail2ban/config/filter.d/exim.conf

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf

[Definition]

# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+</F-CONTENT>$

failregex = ^%(pid)s%(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
            ^%(pid)s \w+ authenticator failed for%(host_info)s: 535 Incorrect authentication data(?: \(set_id=.*\)|: \d+ Time\(s\))?\s*$
            ^%(pid)s%(host_info)s rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+")%(host_info)s (?:next )?input=".*"\s*$
            ^%(pid)s SMTP call from%(host_info)s dropped: too many (?:(?:nonmail|unrecognized) commands|syntax or protocol errors)
            ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?"%(host_info)s AUTH command used when not advertised\s*$
            ^%(pid)s no MAIL in SMTP connection from%(host_info)s
            ^%(pid)s (?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$
            <mdre-<mode>>

mdre-aggressive = ^%(pid)s no host name found for IP address <ADDR>$
                  ^%(pid)s no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$

mdre-normal = 

# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match flood and ddos-similar log-entries like:
#   'no host found for IP', 'no IP found for host'.
# Note this is not an authentication failures, so it may produce lots of false 
# positives on misconfigured MTAs.
# Ex.:
#   filter = exim[mode=aggressive]
mode = normal

ignoreregex = 

# DEV Notes
# -----------
# The %(host_info) definition contains a <ADDR> match. No space before. See exim-common.conf
#
# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerability as input= is
# user injectable data.
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter for exim`
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00			`#`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# This includes the rejection messages of exim. For spam and filter`
			`# related bans use the exim-spam.conf`
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00			`#`

ENH: split out exim-spam into speparate filter 2013-07-02 10:03:16 +00:00
			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# exim-common.local`
			`before = exim-common.conf`

- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00			`[Definition]`

Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 14:54:59 +00:00			`# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):`
filter.d/exim.conf: rewrite host line regex for all varied exim's log_selector states Depending on Exim's log_selector settings, log lines may contain additional information about the connection. And also the line itself with the address of the remote host can vary greatly. But fortunately, all states can be found in the Exim code itself and taken into account. Makes it easier to add new regexps. Closes #3263 2024-03-21 21:16:41 +00:00			`#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed\|([\w\-]+ )?SMTP (?:(?:call\|connection) from\|protocol(?: synchronization)? error)\|no MAIL in\|(?:%(host_info)s(?:sender verify fail\|rejected RCPT\|dropped\|AUTH command))).+</F-CONTENT>$`

			`failregex = ^%(pid)s%(host_info)s sender verify fail for <\S+>: (?:Unknown user\|Unrouteable address\|all relevant MX records point to non-existent hosts)\s*$`
			`^%(pid)s \w+ authenticator failed for%(host_info)s: 535 Incorrect authentication data(?: \(set_id=.\)\|: \d+ Time\(s\))?\s$`
			`^%(pid)s%(host_info)s rejected RCPT [^@]+@\S+: (?:relay not permitted\|Sender verify failed\|Unknown user\|Unrouteable address)\s*$`
			`^%(pid)s SMTP protocol synchronization error \([^)]\): rejected (?:connection from\|"\S+")%(host_info)s (?:next )?input="."\s*$`
			`^%(pid)s SMTP call from%(host_info)s dropped: too many (?:(?:nonmail\|unrecognized) commands\|syntax or protocol errors)`
			`^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"](?="))?"%(host_info)s AUTH command used when not advertised\s*$`
			`^%(pid)s no MAIL in SMTP connection from%(host_info)s`
			`^%(pid)s (?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$`
filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures; Closes #1983 2017-12-05 15:07:53 +00:00			`<mdre-<mode>>`

final `<HOST>` to `<ADDR>` conversion 2024-03-22 18:55:08 +00:00			`mdre-aggressive = ^%(pid)s no host name found for IP address <ADDR>$`
			`^%(pid)s no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$`
filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures; Closes #1983 2017-12-05 15:07:53 +00:00
			`mdre-normal =`

			# Parameter `mode` - `normal` or `aggressive`.
			`# Aggressive mode can be used to match flood and ddos-similar log-entries like:`
			`# 'no host found for IP', 'no IP found for host'.`
			`# Note this is not an authentication failures, so it may produce lots of false`
			`# positives on misconfigured MTAs.`
			`# Ex.:`
			`# filter = exim[mode=aggressive]`
			`mode = normal`
- Exim4 filter. Thanks to mEDI git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-23 09:49:19 +00:00
			`ignoreregex =`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00
filter.d/exim.conf: rewrite host line regex for all varied exim's log_selector states Depending on Exim's log_selector settings, log lines may contain additional information about the connection. And also the line itself with the address of the remote host can vary greatly. But fortunately, all states can be found in the Exim code itself and taken into account. Makes it easier to add new regexps. Closes #3263 2024-03-21 21:16:41 +00:00			`# DEV Notes`
			`# -----------`
final `<HOST>` to `<ADDR>` conversion 2024-03-22 18:55:08 +00:00			`# The %(host_info) definition contains a <ADDR> match. No space before. See exim-common.conf`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`#`
BF: exim filter to be DoS resistant 2013-11-12 07:13:35 +00:00			`# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy`
[DATALAD RUNCMD] run codespell throughout fixing typo automagically === Do not change lines below === { "chain": [], "cmd": "codespell -w", "exit": 0, "extra_inputs": [], "inputs": [], "outputs": [], "pwd": "." } ^^^ Do not change lines above ^^^ 2023-11-18 15:04:04 +00:00			`# to void capture beyond ")" to avoid a DoS Injection vulnerability as input= is`
BF: exim filter to be DoS resistant 2013-11-12 07:13:35 +00:00			`# user injectable data.`