[Python-modules-team] Bug#930287: fail2ban: With Postfix, "lost connection after AUTH" never matches because the warn log is used
Vincent Lefevre
vincent at vinc17.net
Tue Mar 3 10:22:21 GMT 2020
Hi,
On 2019-06-09 19:33:49 -0400, Christopher David Howie wrote:
> fail2ban provides the following configuration, which does not work on Debian
> by default.
>
> In /etc/fail2ban/filter.d/postfix.conf:
>
> ^%(__prefix_line)slost connection after AUTH from \S+\[<HOST>\]$
>
> In /etc/fail2ban/paths-common.conf:
>
> postfix_log = %(syslog_mail_warn)s
>
> However, Postfix does not log "lost connection after AUTH" messages at warn
> severity by default on Debian. Replacing the log source line with this
> corrects the issue:
>
> postfix_log = %(syslog_mail)s
No, I don't think there is any issue (or this has been fixed in
Debian 10 buster): in /etc/fail2ban/paths-debian.conf one has:
syslog_mail = /var/log/mail.log
# control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins).
# syslog_mail_warn = /var/log/mail.warn
syslog_mail_warn = %(syslog_mail)s
Thus it is /var/log/mail.log that is used for postfix_log.
BTW, I can see lines for both postfix and postfix-sasl in my
fail2ban log files.
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the Python-modules-team
mailing list