fail2ban/config/filter.d/exim-common.conf

52 lines
1.4 KiB
Plaintext

# Fail2Ban filter file for common exim expressions
#
# This is to be used by other exim filters
[INCLUDES]
# Load customizations if any available
after = exim-common.local
[Definition]
_fields_grp = (?: (?!H=)[A-Za-z]{1,4}(?:=\S+)?)*
host_info = %(_fields_grp)s (?:H=)?(?:[\w.-]+)? ?(?:\(\S+\))? ?\[<ADDR>\](?::\d+)?%(_fields_grp)s
pid = (?:\s?\[\d+\]|\s?[\w\.-]+ exim\[\d+\]:){0,2}
logtype = file
_add_pref = <lt_<logtype>/_add_pref>
__prefix_line = %(pid)s%(_add_pref)s
[lt_journal]
_add_pref = (?: \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})?
[lt_file]
_add_pref =
# DEV Notes
# ------------
# Host string happens:
# H=[ip address]
# H=(helo_name) [ip address]
# H=host_name [ip address]
# H=host_name (helo_name) [ip address]
# flags H=host_name (helo_name) [ip address] flags
# where only [ip address] always visible, ignore ident
# From exim source code:
# src/src/host.c:host_and_ident()
# src/receive.c:add_host_info_for_log()
# Substitution of `_fields_grp` bypasses all flags but H
# Summary of Fields in Log Lines depending on log_selector
# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
# at version exim-4.97.1
# ---
# Authors:
# Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
# Sergey G. Brester aka sebres (optimization, rewrite to prefregex, reviews)
# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
# Vladimir Varlamov (host line definition)