Use anchored failregex for filters to avoid possible DoS -- postfix.conf

Manually picked up from the 0.8 branch limiting lines only to the existing failregex
2014-06-22 11:50:16 -04:00 · 2014-06-22 11:50:16 -04:00 · aff0f8233f
parent 264e7813d9
commit aff0f8233f
2 changed files with 17 additions and 1 deletions
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@ -5,6 +5,12 @@
 # $Revision$
 #

+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]

 # Option:  failregex
@ -14,7 +20,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = reject: RCPT from (.*)\[<HOST>\]: 554
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,11 @@
+fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
+
+  * Use anchored failregex for filters to avoid possible DoS
+    - CVE-2013-7176: postfix.conf - anchored on the front, expects
+      "postfix/smtpd" prefix in the log line
+
+ --
+
 fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high

  * Anchor apache- filters failregexes to avoid possible DoS on servers