Merge pull request #3702 from bes-internal/exim

exim: final `<HOST>` to `<ADDR>` conversion
8 months ago · e0f1a1e02a
parent 5ecc26d3ba 8da0a99cde
commit e0f1a1e02a
4 changed files with 17 additions and 13 deletions
--- a/config/filter.d/exim-common.conf
+++ b/config/filter.d/exim-common.conf
@ -11,7 +11,7 @@ after = exim-common.local

 _fields_grp = (?: (?!H=)[A-Za-z]{1,4}(?:=\S+)?)*
 host_info = %(_fields_grp)s (?:H=)?(?:[\w.-]+)? ?(?:\(\S+\))? ?\[<ADDR>\](?::\d+)?%(_fields_grp)s
-pid = (?: \[\d+\]| \w+ exim\[\d+\]:)?
+pid = (?: \[\d+\]| [\w\.-]+ exim\[\d+\]:)?


 # DEV Notes
@ -38,4 +38,4 @@ pid = (?: \[\d+\]| \w+ exim\[\d+\]:)?
 #   Daniel Black (rewrote with strong regexs)
 #   Sergey G. Brester aka sebres (optimization, rewrite to prefregex, reviews)
 #   Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
-#   Varlamov Vladimir (host line definition)
+#   Vladimir Varlamov (host line definition)
--- a/config/filter.d/exim-spam.conf
+++ b/config/filter.d/exim-spam.conf
@ -45,4 +45,4 @@ honeypot = trap@example.com

 # DEV Notes
 # -----------
-# The %(host_info) definition contains a <HOST> match. No space before. See exim-common.conf
+# The %(host_info) definition contains a <ADDR> match. No space before. See exim-common.conf
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@ -26,8 +26,8 @@ failregex = ^%(pid)s%(host_info)s sender verify fail for <\S+>: (?:Unknown user|
            ^%(pid)s (?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$
            <mdre-<mode>>

-mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
-                  ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$
+mdre-aggressive = ^%(pid)s no host name found for IP address <ADDR>$
+                  ^%(pid)s no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$

 mdre-normal = 

@ -44,7 +44,7 @@ ignoreregex =

 # DEV Notes
 # -----------
-# The %(host_info) definition contains a <HOST> match. No space before. See exim-common.conf
+# The %(host_info) definition contains a <ADDR> match. No space before. See exim-common.conf
 #
 # SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
 # to void capture beyond ")" to avoid a DoS Injection vulnerability as input= is
--- a/fail2ban/tests/files/logs/exim
+++ b/fail2ban/tests/files/logs/exim
@ -47,8 +47,8 @@
 # failJSON: { "time": "2014-01-12T02:07:48", "match": true , "host": "85.214.85.40" }
 2014-01-12 02:07:48 dovecot_login authenticator failed for h1832461.stratoserver.net (User) [85.214.85.40]: 535 Incorrect authentication data (set_id=scanner)

-# failJSON: { "time": "2019-10-22T03:39:17", "match": true , "host": "192.0.2.37", "desc": "pid-prefix in form of 'mx1 exim[...]:', gh-2553" }
-2019-10-22 03:39:17 mx1 exim[29786]: dovecot_login authenticator failed for (User) [192.0.2.37]: 535 Incorrect authentication data (set_id=test@domain.com)
+# failJSON: { "time": "2019-10-22T03:39:17", "match": true , "host": "192.0.2.37", "desc": "pid-prefix in form of 'hostname exim[...]:', gh-2553" }
+2019-10-22 03:39:17 mx1.fqdn.local exim[29786]: dovecot_login authenticator failed for (User) [192.0.2.37]: 535 Incorrect authentication data (set_id=test@domain.com)

 # failJSON: { "time": "2014-12-02T03:00:23", "match": true , "host": "193.254.202.35" }
 2014-12-02 03:00:23 auth_plain authenticator failed for (rom182) [193.254.202.35]:41556 I=[10.0.0.1]:25: 535 Incorrect authentication data (set_id=webmaster)
@ -93,12 +93,19 @@
 # failJSON: { "time": "2017-11-28T14:14:32", "match": true , "host": "192.0.2.6", "desc": "quoted injecting on AUTH command" }
 2017-11-28 14:14:32 SMTP protocol error in "aUtH lOgIn" H=(test) [8.8.8.8]" H=(roxzgj) [192.0.2.6] AUTH command used when not advertised

+# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" }
+2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com)
+# failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" }
+2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F=<user@example.tld> rejected RCPT <locus@leone.tld>: relay not permitted
+
 ## no matches with `mode = normal`:

 # failJSON: { "match": false , "desc": "aggressive mode only" }
 2017-12-03 08:32:00 no host name found for IP address 192.0.2.8
 # failJSON: { "match": false , "desc": "aggressive mode only" }
 2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9])
+# failJSON: { "match": false , "desc": "aggressive mode only" }
+2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)

 # filterOptions: [{"mode": "aggressive"}]

@ -106,8 +113,5 @@
 2017-12-03 08:32:00 no host name found for IP address 192.0.2.8
 # failJSON: { "time": "2017-12-03T08:51:35", "match": true , "host": "192.0.2.9", "desc": "no IP found for host" }
 2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9])
-
-# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" }
-2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com)
-# failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" }
-2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F=<user@example.tld> rejected RCPT <locus@leone.tld>: relay not permitted
+# failJSON: { "time": "2022-04-03T21:53:53", "match": true , "host": "63.85.123.6", "desc": "no IP found for host long" }
+2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25)