# Fail2Ban filter for Sendmail authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
addr = (?:IPv6:<IP6>|<IP4>)

prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$

failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$

ignoreregex =

journalmatch = _SYSTEMD_UNIT=sendmail.service

# DEV Notes:
#
# Author: Daniel Black