From 8d3f5048ef439befd51f8b0fe384850c37fd68cc Mon Sep 17 00:00:00 2001 From: sebres Date: Sat, 11 Apr 2026 14:42:57 +0200 Subject: [PATCH] `filter.d/postfix.conf` - extended `prefregex` to capture username in postfix SASL failures; closes gh-4165 --- ChangeLog | 1 + config/filter.d/postfix.conf | 2 +- fail2ban/tests/files/logs/postfix | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index a87cc00f..216ffe88 100644 --- a/ChangeLog +++ b/ChangeLog @@ -59,6 +59,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition FreeSWITCH log line prefix has changed in newer versions (gh-3143) * `filter.d/lighttpd-auth.conf` - fixed regex (if failures generated by systemd-journal), bypass several prefixes now (gh-3955) * `filter.d/postfix.conf`: + - extended `prefregex` to capture username in postfix SASL failures (gh-4165) - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800) - default `_daemon` in prefix-line is loosened - can match everything starting with word postfix, like `postfix-example.com/smtpd` (gh-3297) - add optional `NOQUEUE:` prefix to ddos regex (gh-4072) diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index a3a97c5c..305e2ded 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -18,7 +18,7 @@ _pref = (?:\w+: )? # SMTP commands like RCPT etc _cmd = [A-Z]{4,} -prefregex = ^%(__prefix_line)s%(_pref)s> .+$ +prefregex = ^%(__prefix_line)s%(_pref)s> .+?(?:, sasl_username=\S+)?\s*$ # Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this: exre-user = |[Uu](?:ser unknown|ndeliverable address) ; pragma: codespell-ignore diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix index d775c2ed..30a4df24 100644 --- a/fail2ban/tests/files/logs/postfix +++ b/fail2ban/tests/files/logs/postfix @@ -151,7 +151,7 @@ Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD # failJSON: { "time": "2005-01-14T16:18:16", "match": true , "host": "192.0.2.5", "desc": "aggressive only" } Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD5 authentication failed: Invalid authentication mechanism -# failJSON: { "time": "2004-11-04T09:11:01", "match": true , "host": "192.0.2.152", "desc": "reason unavailable" } +# failJSON: { "time": "2004-11-04T09:11:01", "match": true , "host": "192.0.2.152", "user": "admin", "desc": "reason unavailable" } Nov 4 09:11:01 mail postfix/smtpd[1234]: warning: unknown[192.0.2.152]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=admin # ---------------------------------------