From bc74827de251e8b5a24168efd2a0f6ad8e029295 Mon Sep 17 00:00:00 2001
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 27 Sep 2019 14:36:41 +0100
Subject: [PATCH] fail2ban: split dsa-exim into strict and not-so-strict checks

The not-so-strict checks need more provocation to add a ban

Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
---
 modules/fail2ban/files/filter/dsa-exim-strict.conf | 7 +++++++
 modules/fail2ban/files/filter/dsa-exim.conf        | 3 +--
 modules/fail2ban/files/jail/dsa-exim-strict.conf   | 8 ++++++++
 modules/fail2ban/files/jail/dsa-exim.conf          | 4 ++--
 4 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 modules/fail2ban/files/filter/dsa-exim-strict.conf
 create mode 100644 modules/fail2ban/files/jail/dsa-exim-strict.conf

diff --git a/modules/fail2ban/files/filter/dsa-exim-strict.conf b/modules/fail2ban/files/filter/dsa-exim-strict.conf
new file mode 100644
index 000000000..33310abc1
--- /dev/null
+++ b/modules/fail2ban/files/filter/dsa-exim-strict.conf
@@ -0,0 +1,7 @@
+#
+
+[INCLUDES]
+before = exim-common.conf
+
+[Definition]
+failregex = ^%(pid)s SMTP protocol error in "(?i:AUTH LOGIN)" .* \[<HOST>\] AUTH command used when not advertised$
diff --git a/modules/fail2ban/files/filter/dsa-exim.conf b/modules/fail2ban/files/filter/dsa-exim.conf
index 64c8c1eb6..84f921e09 100644
--- a/modules/fail2ban/files/filter/dsa-exim.conf
+++ b/modules/fail2ban/files/filter/dsa-exim.conf
@@ -4,8 +4,7 @@
 before = exim-common.conf
 
 [Definition]
-failregex = ^%(pid)s SMTP protocol error in "(?i:AUTH LOGIN)" .* \[<HOST>\] AUTH command used when not advertised$
-            ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
+failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
             ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user|Unrouteable address|Invalid local part)\s*$
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
diff --git a/modules/fail2ban/files/jail/dsa-exim-strict.conf b/modules/fail2ban/files/jail/dsa-exim-strict.conf
new file mode 100644
index 000000000..3030e4908
--- /dev/null
+++ b/modules/fail2ban/files/jail/dsa-exim-strict.conf
@@ -0,0 +1,8 @@
+[dsa-exim-strict]
+enabled = true
+filter = dsa-exim-strict
+port = smtp,ssmtp,submission
+logpath = /var/log/exim4/mainlog
+maxretry = 1
+findtime = 3600
+bantime = 10800
diff --git a/modules/fail2ban/files/jail/dsa-exim.conf b/modules/fail2ban/files/jail/dsa-exim.conf
index fcf9a5ec8..412c028f3 100644
--- a/modules/fail2ban/files/jail/dsa-exim.conf
+++ b/modules/fail2ban/files/jail/dsa-exim.conf
@@ -3,6 +3,6 @@ enabled = true
 filter = dsa-exim
 port = smtp,ssmtp,submission
 logpath = /var/log/exim4/mainlog
-maxretry = 1
-findtime = 3600
+maxretry = 6
+findtime = 900
 bantime = 10800
-- 
2.20.1