Merge branch '0.10' into 0.11

ChangeLog

@@ -39,6 +39,10 @@ ver. 0.11.0-dev-0 (2017/??/??) - development nightly edition
   ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now.
 
 ### Fixes
+* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely 
+  (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
+* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
+  in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
 * action.d/pf.conf: 
   - fixed syntax error in achnor definition (documentation, see gh-1919);
   - enclose ports in braces for multiport jails (see gh-1925);

config/jail.conf

@@ -227,10 +227,11 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
 
 # Report block via blocklist.de fail2ban reporting service API
 # 
-# See the IMPORTANT note in action.d/blocklist_de.conf for when to
-# use this action. Create a file jail.d/blocklist_de.local containing
-# [Init]
-# blocklist_de_apikey = {api key from registration]
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
+# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
+# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
+# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
+# corresponding jail.d/my-jail.local file).
 #
 action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
 
@@ -659,7 +660,7 @@ logpath = /opt/kerio/mailserver/store/logs/security.log
 
 [courier-auth]
 
-port     = smtp,465,submission,imap3,imaps,pop3,pop3s
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
 logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s
 
@@ -667,7 +668,7 @@ backend  = %(syslog_backend)s
 [postfix-sasl]
 
 filter   = postfix[mode=auth]
-port     = smtp,465,submission,imap3,imaps,pop3,pop3s
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
@@ -677,27 +678,27 @@ backend  = %(postfix_backend)s
 
 [perdition]
 
-port   = imap3,imaps,pop3,pop3s
+port   = imap,imaps,pop3,pop3s
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 
 
 [squirrelmail]
 
-port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
+port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
 logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
 
 
 [cyrus-imap]
 
-port   = imap3,imaps
+port   = imap,imaps
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 
 
 [uwimap-auth]
 
-port   = imap3,imaps
+port   = imap,imaps
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 

config/paths-common.conf

@@ -9,21 +9,36 @@ after  = paths-overrides.local
 
 default_backend = %(default/backend)s
 
+# Initial common values (to overwrite in path-<distribution>.conf)...
+# There is no sensible generic defaults for syslog log targets, thus
+# leaving them empty here (resp. set to mostly used variant) in order 
+# to avoid errors while parsing/interpolating configs.
+#
+# Note systemd-backend does not need the logpath at all.
+#
+syslog_local0 = /var/log/messages
+
+syslog_authpriv = /var/log/auth.log
+syslog_daemon  = %(syslog_local0)s
+syslog_ftp = %(syslog_local0)s
+syslog_mail =
+syslog_mail_warn =
+syslog_user = %(syslog_local0)s
+
+# Set the default syslog backend target to default_backend
+syslog_backend = %(default_backend)s
+
+# Default values for several jails:
+
 sshd_log = %(syslog_authpriv)s
 sshd_backend = %(default_backend)s
 
 dropbear_log = %(syslog_authpriv)s
 dropbear_backend = %(default_backend)s
 
-# There is no sensible generic defaults for syslog log targets, thus
-# leaving them empty here so that no errors while parsing/interpolating configs
-syslog_daemon =
-syslog_ftp =
-syslog_local0 =
-syslog_mail_warn =
-syslog_user =
-# Set the default syslog backend target to default_backend
-syslog_backend = %(default_backend)s
+apache_error_log = /var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log
 
 # from /etc/audit/auditd.conf
 auditd_log = /var/log/audit/audit.log

config/paths-debian.conf

@@ -15,23 +15,12 @@ syslog_mail = /var/log/mail.log
 # syslog_mail_warn = /var/log/mail.warn
 syslog_mail_warn = %(syslog_mail)s
 
-syslog_authpriv = /var/log/auth.log
-
-# syslog_auth = /var/log/auth.log
-#
 syslog_user  =  /var/log/user.log
 
 syslog_ftp = /var/log/syslog
 
 syslog_daemon =  /var/log/daemon.log
 
-syslog_local0 =  /var/log/messages
-
-
-apache_error_log = /var/log/apache2/*error.log
-
-apache_access_log = /var/log/apache2/*access.log
-
 exim_main_log = /var/log/exim4/mainlog
 
 # was in debian squeezy but not in wheezy

config/paths-fedora.conf

@@ -15,15 +15,6 @@ syslog_mail_warn = /var/log/maillog
 
 syslog_authpriv = /var/log/secure
 
-syslog_user =  /var/log/messages
-
-syslog_ftp  = /var/log/messages
-
-syslog_daemon  = /var/log/messages
-
-syslog_local0  = /var/log/messages
-
-
 apache_error_log = /var/log/httpd/*error_log
 
 apache_access_log = /var/log/httpd/*access_log

config/paths-freebsd.conf

@@ -15,19 +15,10 @@ syslog_mail = /var/log/maillog
 
 syslog_mail_warn = /var/log/maillog
 
-syslog_authpriv = /var/log/auth.log
-
 # note - is only ftp.info - if notice /var/log/messages may be needed
 syslog_ftp = /var/log/xferlog
 
-syslog_daemon = /var/log/messages
-
-syslog_local0 = /var/log/messages
-
 # Linux things
-# we fake to avoid parse error in startups
-
-auditd_log = /dev/null
 
 # http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
 # http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup

config/paths-opensuse.conf

@@ -9,24 +9,12 @@ after  = paths-overrides.local
 
 [DEFAULT]
 
-syslog_local0  = /var/log/messages
-
 syslog_mail = /var/log/mail
 
 syslog_mail_warn = %(syslog_mail)s
 
 syslog_authpriv = %(syslog_local0)s
 
-syslog_user =  %(syslog_local0)s
-
-syslog_ftp  = %(syslog_local0)s
-
-syslog_daemon  = %(syslog_local0)s
-
-apache_error_log = /var/log/apache2/*error_log
-
-apache_access_log = /var/log/apache2/*access_log
-
 pureftpd_log = %(syslog_local0)s
 
 exim_main_log = /var/log/exim/main.log

config/paths-osx.conf

@@ -17,11 +17,11 @@ syslog_mail_warn = /var/log/mail.warn
 syslog_authpriv = /var/log/secure.log
 #syslog_auth = 
 
-#syslog_user = 
+syslog_user = 
 
-#syslog_ftp = 
+syslog_ftp = 
 
-#syslog_daemon = 
+syslog_daemon = 
 
-#syslog_local0 =
+syslog_local0 =
 

files/gentoo-initd

@@ -18,6 +18,9 @@
 # Author: Sireyessire, Cyril Jaquier
 #
 
+description="Daemon to ban hosts that cause multiple authentication errors"
+description_reload="reload configuration"
+description_showlog="show fail2ban logs"
 extra_started_commands="reload showlog"
 
 FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"