From 93810fff75640ddfe4c248e670ed80b5d225bf10 Mon Sep 17 00:00:00 2001
From: sebres <info@sebres.de>
Date: Fri, 26 Jul 2024 19:25:09 +0200
Subject: [PATCH] consider CONNECT and other rejected commands as a valid
 `_pref`; closes gh-3800

---
 ChangeLog                         | 1 +
 config/filter.d/postfix.conf      | 2 +-
 fail2ban/tests/files/logs/postfix | 3 +++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index ec52d5ba..c741283b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
 * `action.d/firewallcmd-ipset.conf`:
   - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760)
 * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778)
+* `filter.d/postfix.conf` - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800)
 * `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (gh-3769)
 * `filter.d/sshd.conf` - adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8 
   several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782)
diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf
index 5497504e..a1882473 100644
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@@ -12,7 +12,7 @@ before = common.conf
 
 _daemon = postfix(-\w+)?/[^/\[:\s]+(?:/smtp[ds])?
 _port = (?::\d+)?
-_pref = [A-Z]{4}
+_pref = [A-Z]{4,}
 
 prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
 
diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix
index bd0daf55..8baa29a7 100644
--- a/fail2ban/tests/files/logs/postfix
+++ b/fail2ban/tests/files/logs/postfix
@@ -70,6 +70,9 @@ Jun 12 08:58:35 xxx postfix/smtpd[13533]: improper command pipelining after AUTH
 # failJSON: { "time": "2005-05-05T15:51:11", "match": true , "host": "216.245.194.173", "desc": "postfix postscreen / gh-1764" }
 May  5 15:51:11 xxx postfix/postscreen[1148]: NOQUEUE: reject: RCPT from [216.245.194.173]:60591: 550 5.7.1 Service unavailable; client [216.245.194.173] blocked using rbl.example.com; from=<spammer@example.com>, to=<goodguy@example.com>, proto=ESMTP, helo=<badguy.example.com>
 
+# failJSON: { "time": "2005-06-01T19:00:55", "match": true , "host": "192.0.2.114", "desc": "postfix client restriction / gh-3800" }
+Jun  1 19:00:55 mail postfix/smtpd[7749]: NOQUEUE: reject: CONNECT from unknown[192.0.2.114]: 450 4.7.25 Client host rejected: cannot find your hostname, [178.215.236.114]; proto=SMTP
+
 # failJSON: { "time": "2005-06-03T06:25:43", "match": true , "host": "192.0.2.11", "desc": "too many errors / gh-2439" }
 Jun  3 06:25:43 srv postfix/smtpd[29306]: too many errors after RCPT from example.com[192.0.2.11]