Re: [Fail2ban-users] Problem with authenticated user, sendmail auth and rule '\[\] \(may be forged\)'

Sat, 17 Jul 2021 00:55:06 -0700 



On 17/07/2021 05:50, Jobst Schmalenbach wrote:

Hi

Overall my fail2ban and sendmail-auth works as expected.


However, I have a problem with *SOME* of my users, they authenticate, 
can send the email and then are put in jail.
The rule that is triggered is the "(may be forged)" as some of the ISP's 
cannot set their lookups properly.


    |failregex = \[<HOST>\] \(may be forged\) \[<HOST>\] .*to MTA
    \[<HOST>\], reject.*\.\.\. Relaying denied authentication failure:
    checkpass failed, relay=\[<HOST>\] |


Below are the ones that show up when sending ONE email (I killed many 
lines that arent needed here):


    |Jul 16 16:17:48 MYSERVER sendmail[26706]: STARTTLS=server,
    relay=220-253-126-200.tpgi.com.au [220.253.126.200] (may be forged),
    version=TLSv1, verify=NO, cipher=ECDHE-RSA-AES128-GCM-SHA256,
    bits=128/128 Jul 16 16:17:48 MYSERVER sendmail[26706]: AUTH=server,
    relay=220-253-126-200.tpgi.com.au [220.253.126.200] (may be forged),
    authid=USERNAME Jul 16 16:17:48 MYSERVER sendmail[26706]:
    AUTH=server, relay=220-253-126-200.tpgi.com.au [220.253.126.200]
    (may be forged), authid=USERNAME |


If my users send one mail, then send another mail a few minutes later 
they are put in jail as I have "maxretry=5".


I know I can set

    |ignoreregex = .*tpgi.com.au \[<HOST>\] \(may be forged\).* |

but I also read that "ignoreregex" takes a performance hit.
The rule(s) are NOT quite working yet, I am still trying to fine tune this.

Now my questions:

 1. Is there a way to set something like "if they are authenticated
    don't bother to check other rules"?
 2. Is there another way I can prevent the "(may be forged)" from
    triggering for certain situations?

thanks
Set up a filter .local file (sendmail.local?). In it just put:

[Definition]
failregex = \[<HOST>\] .*to MTA

            \[<HOST>\], reject.*\.\.\. Relaying denied authentication 
failure: checkpass failed, relay=\[<HOST>\]


i.e leave out the top filter. This should override the default jail.


Which version of f2b are you using? My sendmail-auth filter with 0.11.1 
looks nothing like yours.


Nick


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to