Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New jail for postfix: screendnsbl #3545

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

New jail for postfix: screendnsbl #3545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0d08fae
add trigger for postfix/postscreen DNSBL rank message
pbiering Jul 24, 2023
f57844e
add logline
pbiering Jul 24, 2023
ee789c2
fix as requested
pbiering Jan 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions config/filter.d/postfix.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ mdre-aggressive = %(mdre-auth2)s
mdpr-errors = too many errors after \S+
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$

# Extra mode "screendnsbl", triggered on postfix/postscreen[<PID>]: DNSBL rank <NUM> for [<HOST>]:<PORT>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it is wrong mode name for DNS-based Blackhole List, correct would be dnsbl, but much better why not combine it with rbl?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

intention was to implement an optional feature, not extending/overwriting existing definitions leading to by others unexpected behavior

mdpr-screendnsbl = DNSBL rank \d+
mdre-screendnsbl = ^for \[<HOST>\]%(_port)s


failregex = <mdre-<mode>>

Expand Down
10 changes: 10 additions & 0 deletions config/jail.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -599,6 +599,16 @@ backend = %(postfix_backend)s
maxretry = 1


[postfix-screendnbl]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still unsure it'd really expect a new jail.
I know there is one for RBL, but it is more for backwards compatibility reasons, however obsolete since mode rbl is included in mode normal too.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

intention was to implement an optional feature, not extending/overwriting existing definitions leading to by others unexpected behavior


filter = postfix[mode=screendnsbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
bantime = 4h


[sendmail-auth]

port = submission,465,smtp
Expand Down
9 changes: 9 additions & 0 deletions fail2ban/tests/files/logs/postfix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,3 +178,12 @@ Jun 8 23:14:54 proxy2 postfix/postscreen[473]: COMMAND COUNT LIMIT from [192.0.
# filterOptions: [{}, {"mode": "ddos"}, {"mode": "aggressive"}]
# failJSON: { "match": false, "desc": "don't affect lawful data (sporadical connection aborts within DATA-phase, see gh-1813 for discussion)" }
Feb 18 09:50:05 xxx postfix/smtpd[42]: lost connection after DATA from good-host.example.com[192.0.2.10]


# ---------------------------------------
# Test-cases of postfix screendnsbl mode:
# ---------------------------------------

# filterOptions: [{"mode": "screendnsbl"}]
# failJSON: { "time": "2023-07-01T03:55:34", "match": true , "host": "192.0.2.30" }
Jul 1 03:55:34 xxx postfix/postscreen[188902]: DNSBL rank 6 for [192.0.2.30]:52340