| 6 |
- |
1 |
# Fail2Ban filter for sendmail spam/relay type failures
|
|
|
2 |
#
|
|
|
3 |
# Some of the below failregex will only work properly, when the following
|
|
|
4 |
# options are set in the .mc file (see your Sendmail documentation on how
|
|
|
5 |
# to modify it and generate the corresponding .cf file):
|
|
|
6 |
#
|
|
|
7 |
# FEATURE(`delay_checks')
|
|
|
8 |
# FEATURE(`greet_pause', `500')
|
|
|
9 |
# FEATURE(`ratecontrol', `nodelay', `terminate')
|
|
|
10 |
# FEATURE(`conncontrol', `nodelay', `terminate')
|
|
|
11 |
#
|
|
|
12 |
# ratecontrol and conncontrol also need corresponding options ClientRate:
|
|
|
13 |
# and ClientConn: in the access file, see documentation for ratecontrol and
|
|
|
14 |
# conncontrol in the sendmail/cf/README file.
|
|
|
15 |
|
|
|
16 |
[INCLUDES]
|
|
|
17 |
|
|
|
18 |
before = common.conf
|
|
|
19 |
|
|
|
20 |
[Definition]
|
|
|
21 |
|
| 33 |
- |
22 |
_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
|
| 6 |
- |
23 |
|
|
|
24 |
failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
|
|
|
25 |
^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
|
| 86 |
- |
26 |
^%(__prefix_line)s\w{14}: rejecting commands from (\S* )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
|
| 6 |
- |
27 |
^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]: ((?i)expn|vrfy) \S+ \[rejected\]$
|
| 33 |
- |
28 |
^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$
|
| 6 |
- |
29 |
|
|
|
30 |
|
|
|
31 |
ignoreregex =
|
|
|
32 |
|
| 33 |
- |
33 |
|
|
|
34 |
[Init]
|
|
|
35 |
|
|
|
36 |
# "maxlines" is number of log lines to buffer for multi-line regex searches
|
|
|
37 |
maxlines = 10
|
|
|
38 |
|
|
|
39 |
# DEV NOTES:
|
|
|
40 |
#
|
|
|
41 |
# Regarding the last multiline regex:
|
| 6 |
- |
42 |
#
|
| 33 |
- |
43 |
# There can be a nunber of non-related lines between the first and second part
|
|
|
44 |
# of this regex maxlines of 10 is quite generious. Only one of the
|
|
|
45 |
# "No such user" lines needs to be matched before the line with the HOST.
|
|
|
46 |
#
|
|
|
47 |
# Note the capture __prefix, includes both the __prefix_lines (which includes
|
|
|
48 |
# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID.
|
|
|
49 |
#
|
| 6 |
- |
50 |
# Author: Daniel Black and Fabian Wenk
|