diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 1af15430..4aadf15c 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -18,9 +18,9 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user| ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ \[\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$ - ^%(pid)s SMTP protocol error in "AUTH LOGIN(| \S*)" H=\(\S*\) \[\]\:\d+ I=\[\S*\]\:\d+ AUTH command used when not advertised\s*$ - ^%(pid)s no MAIL in SMTP connection from (|\S* )\[\]\:\d+ I=\[\S*\]\:\d+ D=\d+s(| C=\S*)\s*$ - ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\))\[\]\:\d+ I=\[\S*\]\:\d+ closed by DROP in ACL\s*$ + ^%(pid)s SMTP protocol error in "AUTH \S*(| \S*)" H=(|\S* )(|\(\S*\) )\[\]\:\d+ I=\[\S*\]\:\d+ AUTH command used when not advertised\s*$ + ^%(pid)s no MAIL in SMTP connection from (|\S* )(|\(\S*\) )\[\]\:\d+ I=\[\S*\]\:\d+ D=\d+s(| C=\S*)\s*$ + ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\) )\[\]\:\d+ I=\[\S*\]\:\d+ closed by DROP in ACL\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 36185604..a3b287d4 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -56,3 +56,10 @@ 2016-03-21 04:07:49 [25874] 1ahr79-0006jK-G9 SMTP connection from (voyeur.webair.com) [174.137.147.204]:44884 I=[172.89.0.6]:25 closed by DROP in ACL # failJSON: { "time": "2016-03-21T04:33:13", "match": true , "host": "206.214.71.53" } 2016-03-21 04:33:13 [26074] 1ahrVl-0006mY-79 SMTP connection from riveruse.com [206.214.71.53]:39865 I=[172.89.0.6]:25 closed by DROP in ACL + +# failJSON: { "time": "2016-04-01T11:08:39", "match": true , "host": "192.0.2.1" } +2016-04-01 11:08:39 [18643] no MAIL in SMTP connection from host.example.com (SERVER) [192.0.2.1]:1418 I=[172.89.0.6]:25 D=34s C=EHLO,AUTH +# failJSON: { "time": "2016-04-01T11:09:21", "match": true , "host": "192.0.2.1" } +2016-04-01 11:09:21 [18648] SMTP protocol error in "AUTH LOGIN" H=host.example.com (SERVER) [192.0.2.1]:4692 I=[172.89.0.6]:25 AUTH command used when not advertised +# failJSON: { "time": "2016-03-27T16:48:48", "match": true , "host": "192.0.2.1" } +2016-03-27 16:48:48 [21478] 1akDqs-0005aQ-9b SMTP connection from host.example.com (SERVER) [192.0.2.1]:47714 I=[172.89.0.6]:25 closed by DROP in ACL