diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf
index 8db7faee..a899708d 100644
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,7 +20,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = reject: RCPT from (.*)\[<HOST>\]: 554
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/debian/changelog b/debian/changelog
index 259c2e94..3540ae15 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
+
+  * Use anchored failregex for filters to avoid possible DoS
+    - CVE-2013-7176: postfix.conf - anchored on the front, expects
+      "postfix/smtpd" prefix in the log line
+
+ --
+
 fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high
 
   * Anchor apache- filters failregexes to avoid possible DoS on servers