From c88967df2d2907b5a3d1440678b8c4860d221442 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <github@sebres.de>
Date: Thu, 13 Feb 2025 21:30:04 +0100
Subject: [PATCH 1/3] `filter.d/exim.conf` - introduces mode `more` (several
 rules moved from mode `normal` to `more`), because:

- they have basically nothing with authentication;
- they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned;
- to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc);
---
 config/filter.d/exim.conf | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf
index bc36ebf0..de7f6901 100644
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@@ -15,17 +15,19 @@ before = exim-common.conf
 
 prefregex = ^%(__prefix_line)s<F-CONTENT>.+</F-CONTENT>$
 
-failregex = ^%(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
-            ^\s?\w+ authenticator failed for%(host_info)s: 535 Incorrect authentication data(?: \(set_id=.*\)|: \d+ Time\(s\))?\s*$
-            ^%(host_info)s rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
+failregex = ^\s?\w+ authenticator failed for%(host_info)s: 535 Incorrect authentication data(?: \(set_id=.*\)|: \d+ Time\(s\))?\s*$
+            <mdre-<mode>>
+
+mdre-more = ^%(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
+            ^%(host_info)s rejected RCPT (?:<F-RCPT>[^@]+@\S+:</F-RCPT>)?
             ^\s?SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+")%(host_info)s (?:next )?input=".*"\s*$
             ^\s?SMTP call from%(host_info)s dropped: too many (?:(?:nonmail|unrecognized) commands|syntax or protocol errors)
             ^\s?SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?"%(host_info)s [A-Z]+ (?:command used when not advertised|authentication mechanism not supported)\s*$
             ^\s?no MAIL in SMTP connection from%(host_info)s
             ^\s?(?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$
-            <mdre-<mode>>
 
-mdre-aggressive = ^\s?no host name found for IP address <ADDR>$
+mdre-aggressive = %(mdre-more)s
+                  ^\s?no host name found for IP address <ADDR>$
                   ^\s?no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$
                   ^%(host_info)s dropped by '[^']+' ACL:
 

From 6d4b487eb9b5d1d488e9da523e056653546f8e29 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <github@sebres.de>
Date: Thu, 13 Feb 2025 21:42:52 +0100
Subject: [PATCH 2/3] adjust exim-log in the test factory

---
 fail2ban/tests/files/logs/exim | 71 +++++++++++++++++-----------------
 1 file changed, 35 insertions(+), 36 deletions(-)

diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim
index 3bb6c444..eed5e4c7 100644
--- a/fail2ban/tests/files/logs/exim
+++ b/fail2ban/tests/files/logs/exim
@@ -6,6 +6,41 @@
 2013-06-12 03:57:58 login authenticator failed for (ylmf-pc) [120.196.140.45]: 535 Incorrect authentication data: 1 Time(s)
 # failJSON: { "time": "2013-06-12T13:18:11", "match": true , "host": "101.66.165.86" }
 2013-06-12 13:18:11 login authenticator failed for (USER-KVI9FGS9KP) [101.66.165.86]: 535 Incorrect authentication data
+
+# 'https://github.com/fail2ban/fail2ban/pull/251#issuecomment-23001227' 
+# failJSON: { "time": "2013-08-20T07:48:02", "match": true , "host": "85.25.92.177" }
+2013-08-20 07:48:02 login authenticator failed for static-ip-85-25-92-177.inaddr.ip-pool.com (USER) [85.25.92.177]: 535 Incorrect authentication data: 1 Time(s)
+# failJSON: { "time": "2013-08-20T23:30:05", "match": true , "host": "91.218.72.71" }
+2013-08-20 23:30:05 plain authenticator failed for ([192.168.2.102]) [91.218.72.71]: 535 Incorrect authentication data: 1 Time(s)
+# failJSON: { "time": "2013-09-02T09:19:07", "match": true , "host": "118.233.20.68" }
+2013-09-02 09:19:07 login authenticator failed for (gkzwsoju) [118.233.20.68]: 535 Incorrect authentication data
+# failJSON: { "time": "2014-01-12T02:07:48", "match": true , "host": "85.214.85.40" }
+2014-01-12 02:07:48 dovecot_login authenticator failed for h1832461.stratoserver.net (User) [85.214.85.40]: 535 Incorrect authentication data (set_id=scanner)
+# failJSON: { "time": "2019-10-22T03:39:17", "match": true , "host": "192.0.2.37", "desc": "pid-prefix in form of 'hostname exim[...]:', gh-2553" }
+2019-10-22 03:39:17 mx1.fqdn.local exim[29786]: dovecot_login authenticator failed for (User) [192.0.2.37]: 535 Incorrect authentication data (set_id=test@domain.com)
+# failJSON: { "time": "2014-12-02T03:00:23", "match": true , "host": "193.254.202.35" }
+2014-12-02 03:00:23 auth_plain authenticator failed for (rom182) [193.254.202.35]:41556 I=[10.0.0.1]:25: 535 Incorrect authentication data (set_id=webmaster)
+# failJSON: { "time": "2017-04-23T22:45:59", "match": true , "host": "192.0.2.2", "desc": "optional part (...)" }
+2017-04-23 22:45:59 fixed_login authenticator failed for bad.host.example.com [192.0.2.2]:54412 I=[172.89.0.6]:587: 535 Incorrect authentication data (set_id=user@example.com)
+# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" }
+2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com)
+
+## no matches with `mode = normal`:
+
+# failJSON: { "match": false , "desc": "aggressive mode only" }
+2017-12-03 08:32:00 no host name found for IP address 192.0.2.8
+# failJSON: { "match": false , "desc": "aggressive mode only" }
+2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9])
+# failJSON: { "match": false , "desc": "aggressive mode only" }
+2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)
+
+# filterOptions: {"logtype": "journal"}
+
+# failJSON: { "match": true , "host": "192.0.2.27", "desc": "systemd-journal entry with additional timestamp, gh-3060" }
+mail.example.com exim[3751842]: 2021-07-17 23:20:49 plain_server authenticator failed for ([192.0.2.17]) [192.0.2.27]: 535 Incorrect authentication data
+
+# filterOptions: [{"mode": "more"}, {"mode": "aggressive"}]
+
 # failJSON: { "time": "2013-06-10T10:10:59", "match": true , "host": "193.169.56.211" }
 2013-06-10 10:10:59 H=ufficioestampa.it (srv.ufficioestampa.it) [193.169.56.211] sender verify fail for <user@example.com>: Unrouteable address
 # http://forum.lissyara.su/viewtopic.php?f=20&t=29857
@@ -35,24 +70,6 @@
 # failJSON: { "time": "2013-06-15T16:36:49", "match": true , "host": "111.67.203.116" }
 2013-06-15 16:36:49 H=altmx.marsukov.com [111.67.203.116] F=<kadrofutcheti@mail.ru> rejected RCPT <oksana@birzhatm.ua>: Unknown user
 
-# 'https://github.com/fail2ban/fail2ban/pull/251#issuecomment-23001227' 
-# failJSON: { "time": "2013-08-20T07:48:02", "match": true , "host": "85.25.92.177" }
-2013-08-20 07:48:02 login authenticator failed for static-ip-85-25-92-177.inaddr.ip-pool.com (USER) [85.25.92.177]: 535 Incorrect authentication data: 1 Time(s)
-# failJSON: { "time": "2013-08-20T23:30:05", "match": true , "host": "91.218.72.71" }
-2013-08-20 23:30:05 plain authenticator failed for ([192.168.2.102]) [91.218.72.71]: 535 Incorrect authentication data: 1 Time(s)
-
-# failJSON: { "time": "2013-09-02T09:19:07", "match": true , "host": "118.233.20.68" }
-2013-09-02 09:19:07 login authenticator failed for (gkzwsoju) [118.233.20.68]: 535 Incorrect authentication data
-
-# failJSON: { "time": "2014-01-12T02:07:48", "match": true , "host": "85.214.85.40" }
-2014-01-12 02:07:48 dovecot_login authenticator failed for h1832461.stratoserver.net (User) [85.214.85.40]: 535 Incorrect authentication data (set_id=scanner)
-
-# failJSON: { "time": "2019-10-22T03:39:17", "match": true , "host": "192.0.2.37", "desc": "pid-prefix in form of 'hostname exim[...]:', gh-2553" }
-2019-10-22 03:39:17 mx1.fqdn.local exim[29786]: dovecot_login authenticator failed for (User) [192.0.2.37]: 535 Incorrect authentication data (set_id=test@domain.com)
-
-# failJSON: { "time": "2014-12-02T03:00:23", "match": true , "host": "193.254.202.35" }
-2014-12-02 03:00:23 auth_plain authenticator failed for (rom182) [193.254.202.35]:41556 I=[10.0.0.1]:25: 535 Incorrect authentication data (set_id=webmaster)
-
 # failJSON: { "time": "2016-03-18T00:34:06", "match": true , "host": "45.32.34.167" }
 2016-03-18 00:34:06 [7513] SMTP protocol error in "AUTH LOGIN" H=(ylmf-pc) [45.32.34.167]:60723 I=[172.89.0.6]:587 AUTH command used when not advertised
 # failJSON: { "time": "2016-03-19T18:40:44", "match": true , "host": "92.45.204.170" }
@@ -86,8 +103,6 @@
 # failJSON: { "time": "2016-03-27T16:48:48", "match": true , "host": "192.0.2.1" }
 2016-03-27 16:48:48 [21478] 1akDqs-0005aQ-9b SMTP connection from host.example.com (SERVER) [192.0.2.1]:47714 I=[172.89.0.6]:25 closed by DROP in ACL
 
-# failJSON: { "time": "2017-04-23T22:45:59", "match": true , "host": "192.0.2.2", "desc": "optional part (...)" }
-2017-04-23 22:45:59 fixed_login authenticator failed for bad.host.example.com [192.0.2.2]:54412 I=[172.89.0.6]:587: 535 Incorrect authentication data (set_id=user@example.com)
 # failJSON: { "time": "2017-05-01T07:42:42", "match": true , "host": "192.0.2.3", "desc": "rejected RCPT - Unrouteable address" }
 2017-05-01 07:42:42 H=some.rev.dns.if.found (the.connector.reports.this.name) [192.0.2.3] F=<some.name@some.domain> rejected RCPT <some.invalid.name@a.domain>: Unrouteable address
 
@@ -98,20 +113,9 @@
 # failJSON: { "time": "2017-11-28T14:14:32", "match": true , "host": "192.0.2.6", "desc": "quoted injecting on AUTH command" }
 2017-11-28 14:14:32 SMTP protocol error in "aUtH lOgIn" H=(test) [8.8.8.8]" H=(roxzgj) [192.0.2.6] AUTH command used when not advertised
 
-# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" }
-2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com)
 # failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" }
 2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F=<user@example.tld> rejected RCPT <locus@leone.tld>: relay not permitted
 
-## no matches with `mode = normal`:
-
-# failJSON: { "match": false , "desc": "aggressive mode only" }
-2017-12-03 08:32:00 no host name found for IP address 192.0.2.8
-# failJSON: { "match": false , "desc": "aggressive mode only" }
-2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9])
-# failJSON: { "match": false , "desc": "aggressive mode only" }
-2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)
-
 # filterOptions: [{"mode": "aggressive"}]
 
 # failJSON: { "time": "2017-12-03T08:32:00", "match": true , "host": "192.0.2.8", "desc": "no host found for IP" }
@@ -122,8 +126,3 @@
 2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)
 # failJSON: { "time": "2022-04-03T21:53:54", "match": true , "host": "192.0.2.101", "desc": "dropped by ACL" }
 2022-04-03 21:53:54 H=[192.0.2.101]:62839 dropped by 'connect' ACL: Country is banned
-
-# filterOptions: {"logtype": "journal"}
-
-# failJSON: { "match": true , "host": "192.0.2.27", "desc": "systemd-journal entry with additional timestamp, gh-3060" }
-mail.example.com exim[3751842]: 2021-07-17 23:20:49 plain_server authenticator failed for ([192.0.2.17]) [192.0.2.27]: 535 Incorrect authentication data

From 6538d43a8e638150dd6ea0b7641bcf583cb31f62 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <github@sebres.de>
Date: Wed, 2 Apr 2025 14:57:03 +0200
Subject: [PATCH 3/3] Update ChangeLog

---
 ChangeLog | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index f087fbf2..7a232c5d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,7 +23,10 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
 * `action.d/firewallcmd-ipset.conf`:
   - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760)
 * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778)
-* `filter.d/exim.conf` - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned"
+* `filter.d/exim.conf`:
+  - several rules of mode `normal` moved to new mode `more`, because of too risky handling (gh-3940), so to use it as before
+    set `mode = more` for exim jail, thereby mode `aggressive` is not affected, because it fully includes mode `more` now);
+  - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned"
 * `filter.d/freeswitch.conf` - bypass some new info in prefix before [WARNING] (changed default `_pref_line`),
   FreeSWITCH log line prefix has changed in newer versions (gh-3143)
 * `filter.d/postfix.conf` - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800)