Bug#812690: postfix SASL login failures are not detected
notfound 812690 0.11.2-2 fixed 812690 0.11.2-2 thanks The rules are working in postfix.conf now, and postfix-sasl.conf is gone.
Bug#812690: postfix SASL login failures are not detected
Hi, Seems this is a slightly wider issue, maybe with just postfix and postfi-sasl filters. The regex for the filters are missing the port after the host IP that is connects to, as this seems to be a new thing that is logged(well not that I've noticed previously). The "fix" or work around for this was to add (\d*?:)? after \[\]: in the two filter conf files. So for fuller context, the postfix-sasl.conf failregex line would change from: failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ to failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]:(\d*?:)? SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ There maybe more .conf files that might need the regex updated too. HTH Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux libc6:amd64 2.19-18+deb8u3 sasl2-bin2.1.26.dfsg1-13 postfix 2.11.3-1 -- Thanks Paul Dean. "Life is not WHAT you make it, it's WHO you have in it..." pgpE9EUwuXEL9.pgp Description: OpenPGP digital signature
Bug#812690: postfix SASL login failures are not detected
Package: fail2ban Version: 0.8.13-1 (Same as bug #507990 which results fixed, but seems it's not :) ) When using postfix with dovecot as the SASL authenticator, fail2ban fails to detect auth errors as this one: BEGINS Jan 25 22:25:05 postfix/submission/smtpd[17942]: warning: unknown[198.50.137.148]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jan 25 22:25:23 postfix/submission/smtpd[17942]: warning: unknown[198.50.137.148]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jan 25 22:25:43 postfix/submission/smtpd[17942]: warning: unknown[198.50.137.148]: SASL LOGIN authentication failed: Connection lost to authentication server END- the current regex does not match : failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ this one ( as suggested by Udo Raderin relation to bug#507990) does: : warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w+ Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u1 (2015-12-14) x86_64 GNU/Linux Libc6: Version: 2.19-18+deb8u1 -- *David Galligani *