# Fail2Ban filter for Sendmail 8.16.1 authentication failures
#
# Sendmail since 8.16.0.41 which built with _FFR_AUTH_FAIL_LOG_USER
# Sendmail 8.16.1 or newer

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
addr = (?:IPv6:<IP6>|<IP4>)

prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$

failregex = ^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$

ignoreregex =

journalmatch = _SYSTEMD_UNIT=sendmail.service

# DEV Notes:
#
# Author: Daniel Black