Thanks Nick & Graham — I have this working now and wanted to provide some quick notes for those who might walk down this path in the future:
RE can be tested using the “fail2ban-regex” command — I found this incredibly helpful. New RE and mode changes can be placed into the desired [ FILTER ].local file. In my case, this was the postfix.local file. In fact, I would think this is preferred so as to leave all of the *.conf files as is. I was able to create a new mode (must include both 'mdpr' & 'mdre') and enable it in my postfix.local file. No changes to the postfix.conf file were required. It is important to not forget the 'mdpr' piece of this. That is what was missing from the code I posted earlier. Here is the code I used: [Definition] mdpr-auth3 = warning: mdre-auth3= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: mode = auth3 Have fun... > On Jul 6, 2020, at 2:18 AM, Nick Howitt <n...@howitts.co.uk> wrote: > > > > On 06/07/2020 09:41, Graham wrote: >> On Mon, 6 Jul 2020, Antonio Leding wrote: >> >>> Date: Mon, 6 Jul 2020 04:38:14 >>> From: Antonio Leding <t...@leding.net> >>> To: fail2ban-users@lists.sourceforge.net >>> Subject: [Fail2ban-users] Parsing "Invalid authentication mechanism" in >>> postfix >>> >>> I have a Postfix + fail2ban configured to ban when it encounters SASL auth >>> errors. While most SALS errors do result in a ban, the following does not: >>> "SASL LOGIN authentication failed: Invalid authentication mechanism” >>> >> ... >>> mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL >>> ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection >>> lost to authentication server| Invalid authentication mechanism) >> >> ... >> >> Hello Antonio, >> >> I cannot test my thinking, but I see "-MD5" in the regular expression, >> but not in the sample that you gave - hence the expression would match >> "LOGIN-MD5" but not "LOGIN auth ...". >> >> I hope this helps you, > I find the level/overrides in the postfix filer confusing at the best of > times, but , having another go at it, the mdre-auth filter is only triggered > if you set mode to mdre-extra. For mdre-auth2 you need mode = mdre-aggressive. > If you set mdre-auth3, it will never be included anywhere unless you adjust > the modes. I think all you want is in the mdre-auth2 filter, so you just want > to enable the aggressive mode. > > As far as I can see the MD5 bit is a red herring as it belongs to the > (?:CRAM|DIGEST) part of the regex only. > > In the mdre-auth regex the (?! Connection lost to authentication server| > Invalid authentication mechanism) is a negative lookahead, so at least > excludes "Connection lost to authentication server" and may also exclude your > "Invalid authentication mechanism", but it is pushing my regex knowledge. If > I am right then just enabling mdre-auth2 will be good enough. > > Regards, > > Nick > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > <mailto:Fail2ban-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
