| 192 |
- |
1 |
# Fail2Ban filter for selected Postfix SMTP rejections
|
|
|
2 |
#
|
|
|
3 |
#
|
|
|
4 |
|
|
|
5 |
[INCLUDES]
|
|
|
6 |
|
|
|
7 |
# Read common prefixes. If any customizations available -- read them from
|
|
|
8 |
# common.local
|
|
|
9 |
before = common.conf
|
|
|
10 |
|
|
|
11 |
[Definition]
|
|
|
12 |
|
|
|
13 |
_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
|
|
|
14 |
_port = (?::\d+)?
|
|
|
15 |
|
|
|
16 |
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
|
|
|
17 |
|
|
|
18 |
mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+)
|
|
|
19 |
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
|
|
|
20 |
^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
|
|
|
21 |
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b
|
|
|
22 |
^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
|
|
|
23 |
^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
|
|
|
24 |
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b
|
|
|
25 |
^from [^[]*\[<HOST>\]%(_port)s:?
|
|
|
26 |
|
|
|
27 |
mdpr-auth = warning:
|
|
|
28 |
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
|
|
|
29 |
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
|
|
|
30 |
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
|
|
|
31 |
|
|
|
32 |
# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
|
|
|
33 |
mdpr-rbl = %(mdpr-normal)s
|
|
|
34 |
mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
|
|
|
35 |
|
|
|
36 |
# Mode "rbl" currently included in mode "normal" (within 1st rule)
|
|
|
37 |
mdpr-more = %(mdpr-normal)s
|
|
|
38 |
mdre-more = %(mdre-normal)s
|
|
|
39 |
|
|
|
40 |
mdpr-ddos = lost connection after(?! DATA) [A-Z]+
|
|
|
41 |
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
|
|
|
42 |
|
|
|
43 |
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
|
|
|
44 |
mdre-extra = %(mdre-auth)s
|
|
|
45 |
%(mdre-normal)s
|
|
|
46 |
|
|
|
47 |
mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
|
|
|
48 |
mdre-aggressive = %(mdre-auth2)s
|
|
|
49 |
%(mdre-normal)s
|
|
|
50 |
|
|
|
51 |
mdpr-errors = too many errors after \S+
|
|
|
52 |
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$
|
|
|
53 |
|
|
|
54 |
|
|
|
55 |
failregex = <mdre-<mode>>
|
|
|
56 |
|
|
|
57 |
# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
|
|
|
58 |
# Usage example (for jail.local):
|
|
|
59 |
# [postfix]
|
|
|
60 |
# mode = aggressive
|
|
|
61 |
#
|
|
|
62 |
# # or another jail (rewrite filter parameters of jail):
|
|
|
63 |
# [postfix-rbl]
|
|
|
64 |
# filter = postfix[mode=rbl]
|
|
|
65 |
#
|
|
|
66 |
# # jail to match "too many errors", related postconf `smtpd_hard_error_limit`:
|
|
|
67 |
# # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)
|
|
|
68 |
# [postfix-many-errors]
|
|
|
69 |
# filter = postfix[mode=errors]
|
|
|
70 |
# maxretry = 1
|
|
|
71 |
#
|
|
|
72 |
mode = more
|
|
|
73 |
|
|
|
74 |
ignoreregex =
|
|
|
75 |
|
|
|
76 |
[Init]
|
|
|
77 |
|
|
|
78 |
journalmatch = _SYSTEMD_UNIT=postfix.service
|
|
|
79 |
|
|
|
80 |
# Author: Cyril Jaquier
|