0

I have these files in my mail.log file:

Feb  9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <ian@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<ian@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>
Feb  9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <david@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<david@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>
Feb  9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <chris@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<chris@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>
Feb  9 11:57:51 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <john@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<john@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>
Feb  9 11:57:52 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <mike@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<mike@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>

I have this in my /etc/fail2ban/filter.d/postfix.conf

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

However when I check the Regex, it does not match anything:

$ fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use   failregex filter file : postfix, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/mail.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [10000] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 10000 lines, 0 ignored, 0 matched, 10000 missed
[processed in 0.60 sec]

Any ideas why that could be?

Update: I'm on ubuntu 18.04.04 LTS Server - stock fail2ban version 0.10.2-2

Update 2: I made some progress and if I comment out this line, then it matches:

prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$

But I would like to fix the problem rather than add a hack.

Roman Gaufman
  • 123
  • 5

1 Answers1

1

When prefregex is present, fail2ban first drops the log lines which do not match the prefregex and then matches failregex against the content of <F-CONTENT>. Since the postgres filter contains:

prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)

after application of the prefregex, the content will be:

RCPT from unknown[185.143.223.170]: 454 4.7.1 <ian@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<ian@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>
RCPT from unknown[185.143.223.170]: 454 4.7.1 <david@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<david@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>
RCPT from unknown[185.143.223.170]: 454 4.7.1 <chris@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<chris@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>
RCPT from unknown[185.143.223.170]: 454 4.7.1 <john@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<john@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>
RCPT from unknown[185.143.223.170]: 454 4.7.1 <mike@restaurantlesbeatilles.com>: Relay access denied; from=<f86e41m50ljqs@artist-oil.ru> to=<mike@restaurantlesbeatilles.com> proto=ESMTP helo=<[185.143.223.97]>

and you need to drop the reject: part of your regular expressions:

failregex = RCPT from (.*)\[<HOST>\]: 550 5.1.1
            RCPT from (.*)\[<HOST>\]: 450 4.7.1
            RCPT from (.*)\[<HOST>\]: 454 4.7.1
            RCPT from (.*)\[<HOST>\]: 554 5.7.1
Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20