From 3b2f75414cb207aacb9e88409339dcbdfabc16ad Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 7 Jun 2019 15:40:55 +0200 Subject: [PATCH 1/2] filter.d/postfix.conf: extended regexp's to accept variable suffix code in status of postfix for precise messages (gh-2442) --- ChangeLog | 2 ++ config/filter.d/postfix.conf | 8 ++++---- fail2ban/tests/files/logs/postfix | 2 ++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3ce9b1ca..5715ee33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -59,6 +59,8 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition set to `sm-mta` (no unit `sendmail`) for some messages (gh-2385) * `filter.d/asterisk.conf`: asterisk can log additional timestamp if logs into systemd-journal (regex extended with optional part matching this, gh-2383) +* `filter.d/postfix.conf`: + - regexp's accept variable suffix code in status of postfix for precise messages (gh-2442) ### New Features * new failregex-flag tag `` for failregex, signaled that the access to service was gained diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index dfc68b5a..0155ddcc 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -17,11 +17,11 @@ prefregex = ^%(__prefix_line)s> .+$ mdpr-normal = (?:(?:\w+): reject:|improper command pipelining after \S+) mdre-normal=^RCPT from [^[]*\[\]%(_port)s: 55[04] 5\.7\.1\s - ^RCPT from [^[]*\[\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) - ^RCPT from [^[]*\[\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b - ^EHLO from [^[]*\[\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b + ^RCPT from [^[]*\[\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) + ^RCPT from [^[]*\[\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b + ^EHLO from [^[]*\[\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b ^(RCPT|VRFY) from [^[]*\[\]%(_port)s: 550 5\.1\.1\s - ^RCPT from [^[]*\[\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b + ^RCPT from [^[]*\[\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b ^from [^[]*\[\]%(_port)s:? mdpr-auth = warning: diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix index 51e26c8c..b285d3de 100644 --- a/fail2ban/tests/files/logs/postfix +++ b/fail2ban/tests/files/logs/postfix @@ -26,6 +26,8 @@ Dec 18 02:05:46 platypus postfix/smtpd[16349]: improper command pipelining after # failJSON: { "time": "2004-12-21T21:17:29", "match": true , "host": "93.184.216.34" } Dec 21 21:17:29 xxx postfix/smtpd[7150]: NOQUEUE: reject: RCPT from badserver.example.com[93.184.216.34]: 450 4.7.1 Client host rejected: cannot find your hostname, [93.184.216.34]; from= to= proto=ESMTP helo= +# failJSON: { "time": "2004-12-21T21:17:30", "match": true , "host": "93.184.216.34", "desc": "variable status code suffix, gh-2442" } +Dec 21 21:17:30 xxx postfix/smtpd[7150]: NOQUEUE: reject: RCPT from badserver.example.com[93.184.216.34]: 450 4.7.25 Client host rejected: cannot find your hostname, [93.184.216.34]; from= to= proto=ESMTP helo= # failJSON: { "time": "2004-11-22T22:33:44", "match": true , "host": "1.2.3.4" } Nov 22 22:33:44 xxx postfix/smtpd[11111]: NOQUEUE: reject: RCPT from 1-2-3-4.example.com[1.2.3.4]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=<1-2-3-4.example.com> From e5ae113215174e6814284d208725913c85991c87 Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 7 Jun 2019 16:14:02 +0200 Subject: [PATCH 2/2] filter.d/postfix.conf: extended with new postfix filter mode `errors` to match "too many errors" (gh-2439), also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`) --- ChangeLog | 3 +++ config/filter.d/postfix.conf | 11 ++++++++++- fail2ban/tests/files/logs/postfix | 15 +++++++++++---- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5715ee33..8ab4abfb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -61,6 +61,9 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition (regex extended with optional part matching this, gh-2383) * `filter.d/postfix.conf`: - regexp's accept variable suffix code in status of postfix for precise messages (gh-2442) + - extended with new postfix filter mode `errors` to match "too many errors" (gh-2439), + also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix + parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`) ### New Features * new failregex-flag tag `` for failregex, signaled that the access to service was gained diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index 0155ddcc..29866dfa 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -15,7 +15,7 @@ _port = (?::\d+)? prefregex = ^%(__prefix_line)s> .+$ -mdpr-normal = (?:(?:\w+): reject:|improper command pipelining after \S+) +mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) mdre-normal=^RCPT from [^[]*\[\]%(_port)s: 55[04] 5\.7\.1\s ^RCPT from [^[]*\[\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) ^RCPT from [^[]*\[\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b @@ -48,6 +48,8 @@ mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) mdre-aggressive = %(mdre-auth2)s %(mdre-normal)s +mdpr-errors = too many errors after \S+ +mdre-errors = ^from [^[]*\[\]%(_port)s$ failregex = > @@ -56,10 +58,17 @@ failregex = > # Usage example (for jail.local): # [postfix] # mode = aggressive +# # # or another jail (rewrite filter parameters of jail): # [postfix-rbl] # filter = postfix[mode=rbl] # +# # jail to match "too many errors", related postconf `smtpd_hard_error_limit`: +# # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message) +# [postfix-many-errors] +# filter = postfix[mode=errors] +# maxretry = 1 +# mode = more ignoreregex = diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix index b285d3de..d7d37600 100644 --- a/fail2ban/tests/files/logs/postfix +++ b/fail2ban/tests/files/logs/postfix @@ -50,13 +50,20 @@ Jun 12 08:58:35 xxx postfix/smtpd[2931]: NOQUEUE: reject: RCPT from unknown[1.2. # failJSON: { "time": "2005-06-12T08:58:35", "match": true , "host": "1.2.3.4" } Jun 12 08:58:35 xxx postfix/smtpd[13533]: improper command pipelining after AUTH from unknown[1.2.3.4]: QUIT -# --------------------------------------- -# Test-cases of postfix-postscreen: -# --------------------------------------- - # failJSON: { "time": "2005-05-05T15:51:11", "match": true , "host": "216.245.194.173", "desc": "postfix postscreen / gh-1764" } May 5 15:51:11 xxx postfix/postscreen[1148]: NOQUEUE: reject: RCPT from [216.245.194.173]:60591: 550 5.7.1 Service unavailable; client [216.245.194.173] blocked using rbl.example.com; from=, to=, proto=ESMTP, helo= +# failJSON: { "time": "2005-06-03T06:25:43", "match": true , "host": "192.0.2.11", "desc": "too many errors / gh-2439" } +Jun 3 06:25:43 srv postfix/smtpd[29306]: too many errors after RCPT from example.com[192.0.2.11] + +# filterOptions: [{"mode": "errors"}] + +# failJSON: { "match": false, "desc": "ignore normal messages, jail for too many errors only" } +Jun 12 08:58:35 srv postfix/smtpd[29306]: improper command pipelining after AUTH from unknown[192.0.2.11]: QUIT + +# failJSON: { "time": "2005-06-03T06:25:43", "match": true , "host": "192.0.2.11", "desc": "too many errors / gh-2439" } +Jun 3 06:25:43 srv postfix/smtpd[29306]: too many errors after RCPT from example.com[192.0.2.11] + # --------------------------------------- # Test-cases of postfix-rbl: # ---------------------------------------