samwiseetc/fail2ban/filter.d/sendmail-auth.conf

# Fail2Ban filter for sendmail authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
addr = (?:IPv6:<IP6>|<IP4>)

prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$

failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
            ^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
ignoreregex =

journalmatch = _SYSTEMD_UNIT=sendmail.service

# DEV Notes:
#
# Author: Daniel Black
Initial recommit 2 years ago			`# Fail2Ban filter for sendmail authentication failures`
			`#`

			`[INCLUDES]`

			`before = common.conf`

			`[Definition]`

			`_daemon = (?:sendmail\|sm-(?:mta\|acceptingconnections))`
			`# "\w{14,20}" will give support for IDs from 14 up to 20 characters long`
			`__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?`
			`addr = (?:IPv6:<IP6>\|<IP4>)`

			`prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$`

			`failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$`
			`^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+\|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$`
			`ignoreregex =`

			`journalmatch = _SYSTEMD_UNIT=sendmail.service`

			`# DEV Notes:`
			`#`
			`# Author: Daniel Black`