Hi
Overall my fail2ban and sendmail-auth works as expected.
However, I have a problem with *SOME* of my users, they authenticate,
can send the email and then are put in jail.
The rule that is triggered is the "(may be forged)" as some of the ISP's
cannot set their lookups properly.
|failregex = \[<HOST>\] \(may be forged\) \[<HOST>\] .*to MTA
\[<HOST>\], reject.*\.\.\. Relaying denied authentication failure:
checkpass failed, relay=\[<HOST>\] |
Below are the ones that show up when sending ONE email (I killed many
lines that arent needed here):
|Jul 16 16:17:48 MYSERVER sendmail[26706]: STARTTLS=server,
relay=220-253-126-200.tpgi.com.au [220.253.126.200] (may be forged),
version=TLSv1, verify=NO, cipher=ECDHE-RSA-AES128-GCM-SHA256,
bits=128/128 Jul 16 16:17:48 MYSERVER sendmail[26706]: AUTH=server,
relay=220-253-126-200.tpgi.com.au [220.253.126.200] (may be forged),
authid=USERNAME Jul 16 16:17:48 MYSERVER sendmail[26706]:
AUTH=server, relay=220-253-126-200.tpgi.com.au [220.253.126.200]
(may be forged), authid=USERNAME |
If my users send one mail, then send another mail a few minutes later
they are put in jail as I have "maxretry=5".
I know I can set
|ignoreregex = .*tpgi.com.au \[<HOST>\] \(may be forged\).* |
but I also read that "ignoreregex" takes a performance hit.
The rule(s) are NOT quite working yet, I am still trying to fine tune this.
Now my questions:
1. Is there a way to set something like "if they are authenticated
don't bother to check other rules"?
2. Is there another way I can prevent the "(may be forged)" from
triggering for certain situations?
thanks
--
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
