Use anchored failregex for filters to avoid possible DoS -- couriersmtp.conf

config/filter.d/couriersmtp.conf

@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,7 +20,10 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = error,relay=<HOST>,.*550 User unknown
+_daemon = courieresmtpd
+
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
+
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

debian/changelog

@@ -7,6 +7,7 @@ fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
       "postfix/smtpd" prefix in the log line
     - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
       refactored to have a single failregex
+    - couriersmtp.conf - anchored on both sides
 
  -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 22 Jun 2014 11:56:54 -0400