# Fail2Ban filter for sendmail spam/relay type failures # # Some of the below failregex will only work properly, when the following # options are set in the .mc file (see your Sendmail documentation on how # to modify it and generate the corresponding .cf file): # # FEATURE(`delay_checks') # FEATURE(`greet_pause', `500') # FEATURE(`ratecontrol', `nodelay', `terminate') # FEATURE(`conncontrol', `nodelay', `terminate') # # ratecontrol and conncontrol also need corresponding options ClientRate: # and ClientConn: in the access file, see documentation for ratecontrol and # conncontrol in the sendmail/cf/README file. [INCLUDES] before = common.conf [Definition] _daemon = (?:sm-(mta|acceptingconnections)) failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ ^%(__prefix_line)s\w{14}: rejecting commands from (\S+ )?\[\] due to pre-greeting traffic after \d+ seconds$ ^%(__prefix_line)s\w{14}: (\S+ )?\[\]: ((?i)expn|vrfy) \S+ \[rejected\]$ ignoreregex = # DEV Notes: # # Author: Daniel Black and Fabian Wenk