diff --git a/ChangeLog b/ChangeLog index 5715ee33..8ab4abfb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -61,6 +61,9 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition (regex extended with optional part matching this, gh-2383) * `filter.d/postfix.conf`: - regexp's accept variable suffix code in status of postfix for precise messages (gh-2442) + - extended with new postfix filter mode `errors` to match "too many errors" (gh-2439), + also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix + parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`) ### New Features * new failregex-flag tag `` for failregex, signaled that the access to service was gained diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index 0155ddcc..29866dfa 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -15,7 +15,7 @@ _port = (?::\d+)? prefregex = ^%(__prefix_line)s> .+$ -mdpr-normal = (?:(?:\w+): reject:|improper command pipelining after \S+) +mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) mdre-normal=^RCPT from [^[]*\[\]%(_port)s: 55[04] 5\.7\.1\s ^RCPT from [^[]*\[\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) ^RCPT from [^[]*\[\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b @@ -48,6 +48,8 @@ mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) mdre-aggressive = %(mdre-auth2)s %(mdre-normal)s +mdpr-errors = too many errors after \S+ +mdre-errors = ^from [^[]*\[\]%(_port)s$ failregex = > @@ -56,10 +58,17 @@ failregex = > # Usage example (for jail.local): # [postfix] # mode = aggressive +# # # or another jail (rewrite filter parameters of jail): # [postfix-rbl] # filter = postfix[mode=rbl] # +# # jail to match "too many errors", related postconf `smtpd_hard_error_limit`: +# # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message) +# [postfix-many-errors] +# filter = postfix[mode=errors] +# maxretry = 1 +# mode = more ignoreregex = diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix index b285d3de..d7d37600 100644 --- a/fail2ban/tests/files/logs/postfix +++ b/fail2ban/tests/files/logs/postfix @@ -50,13 +50,20 @@ Jun 12 08:58:35 xxx postfix/smtpd[2931]: NOQUEUE: reject: RCPT from unknown[1.2. # failJSON: { "time": "2005-06-12T08:58:35", "match": true , "host": "1.2.3.4" } Jun 12 08:58:35 xxx postfix/smtpd[13533]: improper command pipelining after AUTH from unknown[1.2.3.4]: QUIT -# --------------------------------------- -# Test-cases of postfix-postscreen: -# --------------------------------------- - # failJSON: { "time": "2005-05-05T15:51:11", "match": true , "host": "216.245.194.173", "desc": "postfix postscreen / gh-1764" } May 5 15:51:11 xxx postfix/postscreen[1148]: NOQUEUE: reject: RCPT from [216.245.194.173]:60591: 550 5.7.1 Service unavailable; client [216.245.194.173] blocked using rbl.example.com; from=, to=, proto=ESMTP, helo= +# failJSON: { "time": "2005-06-03T06:25:43", "match": true , "host": "192.0.2.11", "desc": "too many errors / gh-2439" } +Jun 3 06:25:43 srv postfix/smtpd[29306]: too many errors after RCPT from example.com[192.0.2.11] + +# filterOptions: [{"mode": "errors"}] + +# failJSON: { "match": false, "desc": "ignore normal messages, jail for too many errors only" } +Jun 12 08:58:35 srv postfix/smtpd[29306]: improper command pipelining after AUTH from unknown[192.0.2.11]: QUIT + +# failJSON: { "time": "2005-06-03T06:25:43", "match": true , "host": "192.0.2.11", "desc": "too many errors / gh-2439" } +Jun 3 06:25:43 srv postfix/smtpd[29306]: too many errors after RCPT from example.com[192.0.2.11] + # --------------------------------------- # Test-cases of postfix-rbl: # ---------------------------------------