github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

update regex for modern sendmail 

Signed-off-by: bill <git@billforsyth.net>
pull/4020/head
Bill Forsyth 2025-06-17 13:55:27 -04:00 committed by bill
parent 86b9adb2f5
commit 8fe2697a34
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
config/filter.d/sendmail-reject.conf
View File

@ -20,23 +20,23 @@ before = common.conf
[Definition] [Definition]
_daemon = (?:(sm-(mta|acceptingconnections)|sendmail)) _daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )? # N.B.: Avoid moving F-MLFID into the entire prefregex because the grouped messages we need have different syslog levels (info vs notice) that break the group if BSD verbose format is set
addr = (?:(?:IPv6:)?<IP6>|<IP4>) __prefix_line = %(known/__prefix_line)s<F-MLFID>(?:\w{14,20}: )?</F-MLFID>
prefregex = ^%(__prefix_line)s<F-CONTENT>.+</F-CONTENT>$
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<ADDR>\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[<ADDR>\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ ^rejecting commands from (\S* )?\[<ADDR>\] due to pre-greeting traffic after \d+ seconds$
^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ ^(?:\S+ )?\[<ADDR>\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$ ^<[^@]+@[^>]+>\.\.\. (?:No such user here|User unknown)$
^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$ ^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+,(?: bodytype=\w+,)? proto=E?SMTP, daemon=MTA(?:-v[46])?, relay=(?:\S+ )?\[<ADDR>]$
^<[^@]+@[^>]+>\.\.\. No such user here$
^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[%(addr)s\]$
mdre-normal = mdre-normal =
mdre-extra = ^(?:\S+ )?\[%(addr)s\](?: \(may be forged\))? did not issue \S+ during connection mdre-extra = ^(?:\S+ )?\[<ADDR>](?: \(may be forged\))? did not issue \S+ during connection
mdre-aggressive = %(mdre-extra)s mdre-aggressive = ^lost input channel from (\S+ )?\[<ADDR>\] to MTA(?:-v[46])? after (rcpt|mail)$
%(mdre-extra)s
failregex = %(cmnfailre)s failregex = %(cmnfailre)s
<mdre-<mode>> <mdre-<mode>>