diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf index 41035e5f..8205b32b 100644 --- a/config/filter.d/sendmail-reject.conf +++ b/config/filter.d/sendmail-reject.conf @@ -20,23 +20,24 @@ before = common.conf [Definition] _daemon = (?:(sm-(mta|acceptingconnections)|sendmail)) -__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )? -addr = (?:(?:IPv6:)?|) +# N.B.: Avoid moving F-MLFID into the entire prefregex because the grouped messages we need have different syslog levels (info vs notice) that break the group if BSD verbose format is set +__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )? +prefregex = ^%(__prefix_line)s.+$ -prefregex = ^%(__prefix_line)s.+$ - -cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ - ^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ - ^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$ - ^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$ - ^<[^@]+@[^>]+>\.\.\. No such user here$ - ^from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[%(addr)s\]$ +cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ + ^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ + ^rejecting commands from (\S* )?\[\] due to pre-greeting traffic after \d+ seconds$ + ^(?:\S+ )?\[\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$ + ^<[^@]+@[^>]+>\.\.\. (?:No such user here|User unknown)$ + ^from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+,(?: bodytype=\w+,)? proto=E?SMTP, daemon=MTA(?:-v[46])?, relay=(?:\S+ )?\[]$ mdre-normal = -mdre-extra = ^(?:\S+ )?\[%(addr)s\](?: \(may be forged\))? did not issue \S+ during connection +mdre-extra = ^(?:\S+ )?\[](?: \(may be forged\))? did not issue \S+ during connection -mdre-aggressive = %(mdre-extra)s +mdre-aggressive = ^lost input channel from (\S+ )?\[\] to MTA(?:-v[46])? after (rcpt|mail)$ + ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\](?: \(may be forged\))?, reject=(?:450 4\.4\.0(?: (?P=email)\.\.\.)?(?: Relaying temporarily denied\.)?(?: Cannot resolve PTR record for (\d+\.){3}\d+))$ + %(mdre-extra)s failregex = %(cmnfailre)s > diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject index 8debe7ca..5f604ca7 100644 --- a/fail2ban/tests/files/logs/sendmail-reject +++ b/fail2ban/tests/files/logs/sendmail-reject @@ -94,6 +94,16 @@ Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026252: ... # failJSON: { "match": false, "desc": "Different mail ID shouldn't match" } Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] +# failJSON: { "time": "2024-06-17T13:03:43", "match": false, "host": "127.0.0.1", "desc": "no failure, just cache host for mlfid" } +Jun 17 13:03:43 alarmpi sm-mta[26864]: 55HH324M026864: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA-v4, relay=localhost [127.0.0.1] + +# failJSON: { "time": "2024-06-17T14:37:39", "match": true, "host": "192.168.1.44" } +Jun 17 14:37:39 alarmpi sm-mta[2794]: 55HIbcGI002794: ... User unknown + +# failJSON: { "time": "2024-06-17T14:37:39", "match": false, "host": "192.168.1.44", "desc": "no failure, just cache host for mlfid" } +Jun 17 14:37:39 alarmpi sm-mta[2794]: 55HIbcGI002794: from=, size=108, class=0, nrcpts=0, proto=ESMTP, daemon=MTA-v4, relay=yourrelay [192.168.1.44] + + # filterOptions: {"mode": "extra"} # failJSON: { "time": "2005-03-06T16:55:28", "match": true , "host": "192.0.2.194", "desc": "wrong resp. non RFC compiant (ddos prelude?), MTA-mode" } @@ -112,3 +122,12 @@ Mar 29 22:51:43 server sendmail[3529565]: xA32R2PQ3529565: [192.0.2.2] did not i Mar 29 22:51:45 server sm-mta[50437]: 06QDQnNf050437: example.com [192.0.2.3] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 # failJSON: { "time": "2005-03-29T22:51:46", "match": true , "host": "2001:DB8::1", "desc": "IPv6" } Mar 29 22:51:46 server sm-mta[50438]: 06QDQnNf050438: example.com [IPv6:2001:DB8::1] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv6 + +# aggressive mode # filterOptions: {"mode": "aggressive"} + +# failJSON: { "time": "2024-06-17T13:03:43", "match": true, "host": "127.0.0.1" } +Jun 17 13:03:43 alarmpi sm-mta[26864]: 55HH324M026864: lost input channel from localhost [127.0.0.1] to MTA-v4 after mail + +# failJSON: { "time": "2024-06-18T08:05:17", "match": true, "host": "45.125.66.67" } +Jun 18 08:05:17 myhost sm-mta[17002]: 55IC59VD017002: ruleset=check_rcpt, arg1=, relay=[45.125.66.67], reject=450 4.4.0 ... Relaying temporarily denied. Cannot resolve PTR record for 45.125.66.67 +