diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf index 3a897316..93b8343c 100644 --- a/config/filter.d/sendmail-reject.conf +++ b/config/filter.d/sendmail-reject.conf @@ -19,16 +19,32 @@ before = common.conf [Definition] -_daemon = (?:sm-(mta|acceptingconnections)) +_daemon = (?:(sm-(mta|acceptingconnections)|sendmail)) failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ ^%(__prefix_line)s\w{14}: rejecting commands from (\S+ )?\[\] due to pre-greeting traffic after \d+ seconds$ ^%(__prefix_line)s\w{14}: (\S+ )?\[\]: ((?i)expn|vrfy) \S+ \[rejected\]$ + ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ ignoreregex = -# DEV Notes: + +[Init] + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 10 + +# DEV NOTES: +# +# Regarding the last multiline regex: +# +# There can be a nunber of non-related lines between the first and second part +# of this regex maxlines of 10 is quite generious. Only one of the +# "No such user" lines needs to be matched before the line with the HOST. +# +# Note the capture __prefix, includes both the __prefix_lines (which includes +# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID. # # Author: Daniel Black and Fabian Wenk diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf deleted file mode 100644 index c1477700..00000000 --- a/config/filter.d/sendmail-spam.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Fail2ban filter for sendmail spam -# - -[INCLUDES] - -# Read common prefixes. If any customizations available -- read them from -# common.local -before = common.conf - -[Definition] - -_daemon = sendmail - -failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ - -[Init] - -# "maxlines" is number of log lines to buffer for multi-line regex searches -maxlines = 10 - -# DEV NOTES: -# -# There can be a nunber of non-related lines between the first and second part -# of this regex maxlines of 10 is quite generious. Only one of the -# "No such user" lines needs to be matched before the line with the HOST. -# -# Note the capture __prefix, includes both the __prefix_lines (which includes -# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID. -# -# Author: Daniel Black diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject index b7d37e5a..b326cf43 100644 --- a/fail2ban/tests/files/logs/sendmail-reject +++ b/fail2ban/tests/files/logs/sendmail-reject @@ -65,3 +65,22 @@ Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: vrfy in # failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" } Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: VRFY root [rejected] + +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] + +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# Different mail ID shouldn't match +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] diff --git a/fail2ban/tests/files/logs/sendmail-spam b/fail2ban/tests/files/logs/sendmail-spam deleted file mode 100644 index c2669207..00000000 --- a/fail2ban/tests/files/logs/sendmail-spam +++ /dev/null @@ -1,19 +0,0 @@ - -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] - -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# Different mail ID shouldn't match -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]