Bug 1401360

Summary: postfix-rbl.conf regex for "454 4.7.1" should be "554 5.7.1" for default postfix reject_rbl_client
Product: [Fedora] Fedora EPEL Reporter: Danen Brücker <dmbrucker>
Component: fail2banAssignee: Orion Poplawski <orion>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: athmanem, orion, vonsch
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: fail2ban-0.10.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-09 02:09:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Danen Brücker 2016-12-05 02:23:12 UTC 
Description of problem:
The default /etc/fail2ban/filter.d/postfix-rbl.conf is looking for the wrong regex/code according to what postfix logs. /etc/fail2ban/filter.d/postfix-rbl.conf is looking for "...454 4.7.1...". Enabling "reject_rbl_client" in /etc/postfix/main.cf logs offenders as "...554 5.7.1..." which misses the fail2ban rule.


Version-Release number of selected component (if applicable):
[root@server filter.d]# rpm -q postfix
postfix-2.10.1-6.el7.x86_64
[root@server filter.d]# rpm -q fail2ban
fail2ban-0.9.5-3.el7.noarch

How reproducible:
1) With a default installation of postfix with at least one instance of reject_rbl_client xxx in main.cf (likely in smtpd_recipient_restrictions),
2) And fail2ban/postfix-rbl.conf enabled,
3) fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-rbl.conf
All log lines/offenders are missed by the default rule


Steps to Reproduce:
1. install postfix and fail2ban/postfix-rbl with at least one instance of "reject_rbl_client xxx" on incoming mail
2. wait for spammers to send mail from RBL'd ip's
3. fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-rbl.conf shows all lines as "missed"

Actual results:
[root@server filter.d]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-rbl.conf 

Running tests
=============

Use   failregex filter file : postfix-rbl, basedir: /etc/fail2ban
Use         log file : /var/log/maillog
Use         encoding : ANSI_X3.4-1968


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5768] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 5768 lines, 0 ignored, 0 matched, 5768 missed
[processed in 0.58 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 5768 lines


Expected results:
[root@server filter.d]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-rbl.conf 

Running tests
=============

Use   failregex filter file : postfix-rbl, basedir: /etc/fail2ban
Use         log file : /var/log/maillog
Use         encoding : ANSI_X3.4-1968


Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [2] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5768] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 5768 lines, 0 ignored, 2 matched, 5766 missed
[processed in 0.51 sec]


Additional info:
[root@server filter.d]# postconf -d | grep maps_rbl_reject_code
maps_rbl_reject_code = 554
Comment 1 Orion Poplawski 2016-12-05 03:16:32 UTC 
Can you please file this upstream at https://github.com/fail2ban/fail2ban/issues ?

Thanks.
Comment 2 Danen Brücker 2016-12-05 04:28:15 UTC 
Done.


https://github.com/fail2ban/fail2ban/issues/1634
Comment 3 Fedora Update System 2019-11-23 23:42:23 UTC 
FEDORA-EPEL-2019-dac149ad76 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dac149ad76
Comment 4 Fedora Update System 2019-11-24 01:30:52 UTC 
fail2ban-0.10.4-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dac149ad76
Comment 5 Fedora Update System 2019-12-09 02:09:09 UTC 
fail2ban-0.10.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.