# Fail2Ban filter file for common exim expressions
#
# This is to be used by other exim filters

[INCLUDES]

# Load customizations if any available
after = exim-common.local

[Definition]

_fields_grp = (?: (?!H=)[A-Za-z]{1,4}(?:=\S+)?)*
host_info = %(_fields_grp)s (?:H=)?(?:[\w.-]+)? ?(?:\(\S+\))? ?\[<ADDR>\](?::\d+)?%(_fields_grp)s
pid = (?:\s?\[\d+\]|\s?[\w\.-]+ exim\[\d+\]:){0,2}

logtype = file
_add_pref = <lt_<logtype>/_add_pref>

__prefix_line = %(pid)s%(_add_pref)s

[lt_journal]
_add_pref = (?: \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})?

[lt_file]
_add_pref =

# DEV Notes
# ------------
# Host string happens:
# H=[ip address]
# H=(helo_name) [ip address]
# H=host_name [ip address]
# H=host_name (helo_name) [ip address]
# flags H=host_name (helo_name) [ip address] flags
# where only [ip address] always visible, ignore ident
# From exim source code:
#   src/src/host.c:host_and_ident()
#   src/receive.c:add_host_info_for_log()

# Substitution of `_fields_grp` bypasses all flags but H
# Summary of Fields in Log Lines depending on log_selector
# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
# at version exim-4.97.1
# ---

# Authors:
#   Cyril Jaquier
#   Daniel Black (rewrote with strong regexs)
#   Sergey G. Brester aka sebres (optimization, rewrite to prefregex, reviews)
#   Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
#   Vladimir Varlamov (host line definition)