CERBERUS/fail2ban
1
0
Fork 0
mirror of https://github.com/fail2ban/fail2ban.git synced 2026-05-13 06:31:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

filter.d/postfix.conf - extended prefregex to capture username in postfix SASL failures;

Browse source 
closes gh-4165
This commit is contained in:
sebres 2026-04-11 14:42:57 +02:00
parent 732dc86ef3
commit 8d3f5048ef
3 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
ChangeLog
View file

@ -59,6 +59,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
FreeSWITCH log line prefix has changed in newer versions (gh-3143)
* `filter.d/lighttpd-auth.conf` - fixed regex (if failures generated by systemd-journal), bypass several prefixes now (gh-3955)
* `filter.d/postfix.conf`:
- extended `prefregex` to capture username in postfix SASL failures (gh-4165)
- consider CONNECT and other rejected commands as a valid `_pref` (gh-3800)
- default `_daemon` in prefix-line is loosened - can match everything starting with word postfix, like `postfix-example.com/smtpd` (gh-3297)
- add optional `NOQUEUE:` prefix to ddos regex (gh-4072)

2
config/filter.d/postfix.conf
View file

@ -18,7 +18,7 @@ _pref = (?:\w+: )?
# SMTP commands like RCPT etc
_cmd = [A-Z]{4,}
prefregex = ^%(__prefix_line)s%(_pref)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
prefregex = ^%(__prefix_line)s%(_pref)s<mdpr-<mode>> <F-CONTENT>.+?</F-CONTENT>(?:, sasl_username=<F-USER>\S+</F-USER>)?\s*$
# Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this:
exre-user = |[Uu](?:ser unknown|ndeliverable address) ; pragma: codespell-ignore

2
fail2ban/tests/files/logs/postfix
View file

@ -151,7 +151,7 @@ Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD
# failJSON: { "time": "2005-01-14T16:18:16", "match": true , "host": "192.0.2.5", "desc": "aggressive only" }
Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD5 authentication failed: Invalid authentication mechanism
# failJSON: { "time": "2004-11-04T09:11:01", "match": true , "host": "192.0.2.152", "desc": "reason unavailable" }
# failJSON: { "time": "2004-11-04T09:11:01", "match": true , "host": "192.0.2.152", "user": "admin", "desc": "reason unavailable" }
Nov 4 09:11:01 mail postfix/smtpd[1234]: warning: unknown[192.0.2.152]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=admin
# ---------------------------------------