From fe72a5585c3a9970036b15d7957e8d064d9bdefa Mon Sep 17 00:00:00 2001
From: Lee Clemens <droid@lc-cs.com>
Date: Tue, 30 Dec 2014 19:06:17 -0500
Subject: [PATCH] Create Jail for Postfix based on RBL Use RBL blocks to ban
 addresses, unique Jail so maxretry can be set to 1 (vs postfix.conf)

---
 ChangeLog                             |  2 ++
 config/filter.d/postfix-rbl.conf      | 19 +++++++++++++++++++
 config/jail.conf                      |  7 +++++++
 fail2ban/tests/files/logs/postfix-rbl |  2 ++
 4 files changed, 30 insertions(+)
 create mode 100644 config/filter.d/postfix-rbl.conf
 create mode 100644 fail2ban/tests/files/logs/postfix-rbl

diff --git a/ChangeLog b/ChangeLog
index c80dac5a..b9d60f75 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,8 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released
    * filter.d/postfix-sasl.conf - failregex is now case insensitive
 
 - New Features:
+   - New filter:
+     - postfix-rbl  Thanks Lee Clemens
    - New interpolation feature for config readers - `%(known/parameter)s`.
      (means last known option with name `parameter`). This interpolation makes
      possible to extend a stock filter or jail regexp in .local file
diff --git a/config/filter.d/postfix-rbl.conf b/config/filter.d/postfix-rbl.conf
new file mode 100644
index 00000000..4b572241
--- /dev/null
+++ b/config/filter.d/postfix-rbl.conf
@@ -0,0 +1,19 @@
+# Fail2Ban filter for Postfix's RBL based Blocked hosts
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using \S+; Blocked.* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
+
+ignoreregex =
+
+# Author: Lee Clemens
diff --git a/config/jail.conf b/config/jail.conf
index 6a95aa12..5544ba6d 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -465,6 +465,13 @@ port     = smtp,465,submission
 logpath  = %(postfix_log)s
 
 
+[postfix-rbl]
+
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+maxretry = 1
+
+
 [sendmail-auth]
 
 port    = submission,465,smtp
diff --git a/fail2ban/tests/files/logs/postfix-rbl b/fail2ban/tests/files/logs/postfix-rbl
new file mode 100644
index 00000000..fd420fa7
--- /dev/null
+++ b/fail2ban/tests/files/logs/postfix-rbl
@@ -0,0 +1,2 @@
+# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" }
+Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from=<spammer@example.com> to=<goodguy@example.com> proto=ESMTP helo=<badguy.example.com>