[Fail2ban-users] getting IP address out of postfix logline that doesn't have the IP ?

jasonsu Tue, 12 Apr 2016 15:06:12 -0700

I have a postfix postqueue Amavis filter set up to do A/V scanning.

Right now, it's configured to DISCARD virus-tagged content.


It works as far as detection and discard goes.

I want to run fail2ban over the Postfix logs to identify the IP of the Virus 
sender, and set a firewall block for awhile.

But if you look at the log for the postqueue filter's rejection message at 
postscreen, it does NOT have the IP address.

Other log lines have it, but not the one reject message.

        Apr 11 04:24:08 mail01 postfix/postscreen[7312]: CONNECT from 
[104.44.131.209]:1024 to [192.0.1.17]:25
        Apr 11 04:24:14 mail01 postfix/postscreen[7312]: PASS NEW 
[104.44.131.209]:1024
        Apr 11 04:24:14 mail01 postfix/psint/smtpd[7319]: connect from 
ldoquy20.cloudapp.net[104.44.131.209]
        Apr 11 04:24:15 mail01 postfix/psint/smtpd[7319]: NOQUEUE: 
client=ldoquy20.cloudapp.net[104.44.131.209]
        Apr 11 04:24:15 mail01 postfix/postqreturn/smtpd[7326]: connect from 
localhost[127.0.0.1]
        Apr 11 04:24:15 mail01 postfix/postqreturn/smtpd[7326]: 
4ql0LCJHvGz3J39: client=localhost[127.0.0.1]
        Apr 11 04:24:15 mail01 postfix/cleanup[7327]: 4ql0LCJHvGz3J39: 
message-id=<[email protected]>
        Apr 11 04:24:16 mail01 postfix/qmgr[20856]: 4ql0LCJHvGz3J39: 
from=<[email protected]>, size=3301, nrcpt=1 (queue active)
>>      Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: proxy-accept: 
>> END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=06097-01 - INFECTED: 
>> Porcupine.Malware.36603.UNOFFICIAL; from=<[email protected]> 
>> to=<[email protected]> proto=ESMTP helo=<ldoquy20.cloudapp.net>
        Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: disconnect from 
ldoquy20.cloudapp.net[104.44.131.209] ehlo=1 mail=1 rcpt=1 data=1 quit=1 
commands=5

This is different than the other postfix log messages that show a REJECT.  They 
have the IP address and I can act on it directly in a fail2ban-detected line.

How do I reliably get the fail2ban actionable IP out of this one line match , 
and into a filter? 

I'm not sure if it's Postfix, Amavis and/or Fail2ban config.

Jason

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] getting IP address out of postfix logline that doesn't have the IP ?

Reply via email to