From 8fe2697a349056493dd3cc3ee8ac6c534e15ec7a Mon Sep 17 00:00:00 2001
From: Bill Forsyth <git@billforsyth.net>
Date: Tue, 17 Jun 2025 13:55:27 -0400
Subject: [PATCH] update regex for modern sendmail

Signed-off-by: bill <git@billforsyth.net>
---
 config/filter.d/sendmail-reject.conf | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
index 41035e5f..fab80e79 100644
--- a/config/filter.d/sendmail-reject.conf
+++ b/config/filter.d/sendmail-reject.conf
@@ -20,23 +20,23 @@ before = common.conf
 [Definition]
 
 _daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
-__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
-addr = (?:(?:IPv6:)?<IP6>|<IP4>)
+# N.B.: Avoid moving F-MLFID into the entire prefregex because the grouped messages we need have different syslog levels (info vs notice) that break the group if BSD verbose format is set
+__prefix_line = %(known/__prefix_line)s<F-MLFID>(?:\w{14,20}: )?</F-MLFID>
+prefregex = ^%(__prefix_line)s<F-CONTENT>.+</F-CONTENT>$
 
-prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
-
-cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
-            ^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
-            ^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$
-            ^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
-            ^<[^@]+@[^>]+>\.\.\. No such user here$
-            ^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[%(addr)s\]$
+cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<ADDR>\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+            ^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[<ADDR>\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+            ^rejecting commands from (\S* )?\[<ADDR>\] due to pre-greeting traffic after \d+ seconds$
+            ^(?:\S+ )?\[<ADDR>\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
+            ^<[^@]+@[^>]+>\.\.\. (?:No such user here|User unknown)$
+            ^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+,(?: bodytype=\w+,)? proto=E?SMTP, daemon=MTA(?:-v[46])?, relay=(?:\S+ )?\[<ADDR>]$
 
 mdre-normal =
 
-mdre-extra = ^(?:\S+ )?\[%(addr)s\](?: \(may be forged\))? did not issue \S+ during connection
+mdre-extra = ^(?:\S+ )?\[<ADDR>](?: \(may be forged\))? did not issue \S+ during connection
 
-mdre-aggressive = %(mdre-extra)s
+mdre-aggressive = ^lost input channel from (\S+ )?\[<ADDR>\] to MTA(?:-v[46])? after (rcpt|mail)$
+                  %(mdre-extra)s
 
 failregex = %(cmnfailre)s
             <mdre-<mode>>