ENH: add kerio filter

MANIFEST

@@ -117,6 +117,7 @@ fail2ban/tests/files/logs/exim
 fail2ban/tests/files/logs/exim-spam
 fail2ban/tests/files/logs/gssftpd
 fail2ban/tests/files/logs/guacamole
+fail2ban/tests/files/logs/kerio
 fail2ban/tests/files/logs/lighttpd-auth
 fail2ban/tests/files/logs/mysqld-auth
 fail2ban/tests/files/logs/nsd
@@ -175,6 +176,7 @@ config/filter.d/courier-smtp.conf
 config/filter.d/cyrus-imap.conf
 config/filter.d/exim.conf
 config/filter.d/gssftpd.conf
+config/filter.d/kerio.conf
 config/filter.d/suhosin.conf
 config/filter.d/named-refused.conf
 config/filter.d/openwebmail.conf

config/filter.d/kerio.conf

@@ -0,0 +1,16 @@
+# Fail2ban filter for kerio
+
+[Definition]
+
+failregex = ^\[\] SMTP Spam attack detected from <HOST>,
+            ^\[\] IP address <HOST> found in DNS blacklist \S+( \S+), mail from \S+$
+            ^\[\] Relay attempt from IP address <HOST>
+            ^\[\] Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
+
+datepattern = %d/%b/%Y %H:%M:%S
+
+# DEV NOTES:
+# 
+# Author: A.P. Lawrence
+#
+# Based off: http://aplawrence.com/Kerio/fail2ban.html

config/jail.conf

@@ -549,6 +549,11 @@ port   = smtp,ssmtp,submission
 logpath = /var/log/exim/mainlog
 
 
+[kerio]
+port    = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
 #
 # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
 # all relevant ports get banned

fail2ban/tests/files/logs/kerio

@@ -0,0 +1,2 @@
+# failJSON: { "time": "", "match": true, "host": "200.90.149.178" }
+[17/Jun/2011 17:00:45] Attempt to deliver to unknown recipient <advertise@aplawrence.com>, from <bekytnabvnvyx@aapug.org>, IP address 200.90.149.178