On 06/07/2020 09:41, Graham wrote:
On Mon, 6 Jul 2020, Antonio Leding wrote:
Date: Mon, 6 Jul 2020 04:38:14
From: Antonio Leding <t...@leding.net>
To: fail2ban-users@lists.sourceforge.net
Subject: [Fail2ban-users] Parsing "Invalid authentication mechanism" in
postfix
I have a Postfix + fail2ban configured to ban when it encounters SASL
auth
errors. While most SALS errors do result in a ban, the following does
not:
"SASL LOGIN authentication failed: Invalid authentication mechanism”
...
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
Connection
lost to authentication server| Invalid authentication mechanism)
...
Hello Antonio,
I cannot test my thinking, but I see "-MD5" in the regular
expression, but not in the sample that you gave - hence the expression
would match "LOGIN-MD5" but not "LOGIN auth ...".
I hope this helps you,
I find the level/overrides in the postfix filer confusing at the best of
times, but , having another go at it, the mdre-auth filter is only
triggered if you set mode to mdre-extra. For mdre-auth2 you need mode =
mdre-aggressive.
If you set mdre-auth3, it will never be included anywhere unless you
adjust the modes. I think all you want is in the mdre-auth2 filter, so
you just want to enable the aggressive mode.
As far as I can see the MD5 bit is a red herring as it belongs to the
(?:CRAM|DIGEST) part of the regex only.
In the mdre-auth regex the (?! Connection lost to authentication server|
Invalid authentication mechanism) is a negative lookahead, so at least
excludes "Connection lost to authentication server" and may also exclude
your "Invalid authentication mechanism", but it is pushing my regex
knowledge. If I am right then just enabling mdre-auth2 will be good enough.
Regards,
Nick
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
