From 93810fff75640ddfe4c248e670ed80b5d225bf10 Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 26 Jul 2024 19:25:09 +0200 Subject: [PATCH] consider CONNECT and other rejected commands as a valid `_pref`; closes gh-3800 --- ChangeLog | 1 + config/filter.d/postfix.conf | 2 +- fail2ban/tests/files/logs/postfix | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ec52d5ba..c741283b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition * `action.d/firewallcmd-ipset.conf`: - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760) * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778) +* `filter.d/postfix.conf` - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800) * `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (gh-3769) * `filter.d/sshd.conf` - adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8 several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782) diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index 5497504e..a1882473 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -12,7 +12,7 @@ before = common.conf _daemon = postfix(-\w+)?/[^/\[:\s]+(?:/smtp[ds])? _port = (?::\d+)? -_pref = [A-Z]{4} +_pref = [A-Z]{4,} prefregex = ^%(__prefix_line)s> .+$ diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix index bd0daf55..8baa29a7 100644 --- a/fail2ban/tests/files/logs/postfix +++ b/fail2ban/tests/files/logs/postfix @@ -70,6 +70,9 @@ Jun 12 08:58:35 xxx postfix/smtpd[13533]: improper command pipelining after AUTH # failJSON: { "time": "2005-05-05T15:51:11", "match": true , "host": "216.245.194.173", "desc": "postfix postscreen / gh-1764" } May 5 15:51:11 xxx postfix/postscreen[1148]: NOQUEUE: reject: RCPT from [216.245.194.173]:60591: 550 5.7.1 Service unavailable; client [216.245.194.173] blocked using rbl.example.com; from=, to=, proto=ESMTP, helo= +# failJSON: { "time": "2005-06-01T19:00:55", "match": true , "host": "192.0.2.114", "desc": "postfix client restriction / gh-3800" } +Jun 1 19:00:55 mail postfix/smtpd[7749]: NOQUEUE: reject: CONNECT from unknown[192.0.2.114]: 450 4.7.25 Client host rejected: cannot find your hostname, [178.215.236.114]; proto=SMTP + # failJSON: { "time": "2005-06-03T06:25:43", "match": true , "host": "192.0.2.11", "desc": "too many errors / gh-2439" } Jun 3 06:25:43 srv postfix/smtpd[29306]: too many errors after RCPT from example.com[192.0.2.11]