do fail2ban on postfix AUTH attempts on lists.d.o

diff --git a/modules/fail2ban/files/filter/dsa-postfix.conf b/modules/fail2ban/files/filter/dsa-postfix.conf
new file mode 100644 (file)
index 0000000..b386886
--- /dev/null
+++ b/modules/fail2ban/files/filter/dsa-postfix.conf
@@ -0,0 +1,7 @@
+#
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^%(__prefix_line)slost connection after AUTH from \S+\[<HOST>\]$

diff --git a/modules/fail2ban/files/jail/dsa-postfix.conf b/modules/fail2ban/files/jail/dsa-postfix.conf
new file mode 100644 (file)
index 0000000..354f8de
--- /dev/null
+++ b/modules/fail2ban/files/jail/dsa-postfix.conf
@@ -0,0 +1,7 @@
+[dsa-postfix]
+enabled = true
+filter = dsa-postfix
+port = smtp,ssmtp
+logpath = /var/log/mail.log
+maxretry = 4
+bantime = 3600

diff --git a/modules/fail2ban/manifests/postfix.pp b/modules/fail2ban/manifests/postfix.pp
new file mode 100644 (file)
index 0000000..4b54566
--- /dev/null
+++ b/modules/fail2ban/manifests/postfix.pp
@@ -0,0 +1,10 @@
+class fail2ban::postfix inherits fail2ban {
+       file { '/etc/fail2ban/filter.d/dsa-postfix.conf':
+               source => 'puppet:///modules/fail2ban/filter/dsa-postfix.conf',
+               notify  => Service['fail2ban'],
+       }
+       file { '/etc/fail2ban/jail.d/dsa-postfix.conf':
+               source => 'puppet:///modules/fail2ban/jail/dsa-postfix.conf',
+               notify  => Service['fail2ban'],
+       }
+}

diff --git a/modules/postfix/manifests/init.pp b/modules/postfix/manifests/init.pp
index 67cb8d7..8c1d2b2 100644 (file)
--- a/modules/postfix/manifests/init.pp
+++ b/modules/postfix/manifests/init.pp
@@ -28,6 +28,8 @@ class postfix {
                        order  => '000',
                        content => template('postfix/main.cf-header.erb')
                }
+       } else {
+               include fail2ban::postfix
        }
 
        exec { 'service postfix reload':