Your message dated Sat, 23 Oct 2021 16:26:57 +0200
with message-id <[email protected]>
and subject line
has caused the Debian Bug report #979423,
regarding fail2ban: Dovecot's submission default logging errors are not handled
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
979423: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979423
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fail2ban
Version: 0.10.2-2.1
Severity: normal
Tags: patch
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I am using Dovecot's submission system, which is not the more famous way
of using dovecot.
It appears that the fail2ban's dovecot filter doesn't handle
submission's logging format (fail2ban and dovecot, released with buster).
The latter looks like:
janv. 06 14:53:12 mx1 dovecot[21994]: submission-login: Remote closed
connection (auth failed, 1 attempts in 7 secs): ...
Rather than:
Jan 5 16:43:55 mx1 dovecot: imap-login: Disconnected (auth failed, 3 attempts
in 14 secs): ...
I locally fixed it by trivially altering the fail2ban dovecot filter:
diff --git a/fail2ban/filter.d/dovecot.conf b/fail2ban/filter.d/dovecot.conf
index 2019a16..71df301 100644
--- a/fail2ban/filter.d/dovecot.conf
+++ b/fail2ban/filter.d/dovecot.conf
@@ -10,10 +10,10 @@ before = common.conf
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)
-prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info:
)?<F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?:
)?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|submission)-login:
)?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot
ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
- ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth
failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+
auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:,
session=<\S+>)?)\s*$
+ ^(?:Aborted login|Disconnected|Remote closed connection)(?::(?: [^
\(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use
(?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)?
rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User
not known to the underlying authentication module: \d+ Time\(s\)|Authentication
failure \(password mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid
credentials)\s*$
<mdre-<mode>>
Best regards.
François
-- System Information:
Debian Release: buster
--- End Message ---
--- Begin Message ---
X-CrossAssassin-Score: 30634
--- End Message ---
